on Feb 23, 2017Article Content
| Article Number | 000034768 |
| Applies To | RSA Product Set: NetWitness Logs and Packets RSA Product/Service Type: NetWitness Logs and Packets RSA Version/Condition: 10.6.and above Product Description: NetWitness Logs and Packets |
| Issue | The snare logs being sent to the Virtual Log Collector come in as undefined or as a completely different device type. There is no issue with snare logs being sent directly to the log decoder. |
| Cause | It appears that the tabs in the snare logs are being identified as spaces. Winevent_snare now supports tab delimited logs with the latest parser. |
| Resolution | The fix is to remove the highlighted item on the Virtual Log Collector in question (please see screenshot). Note: If UDP is configured on Snare Source instead, then the changes on the syslog-udp need to be made. See below :  Then restart nwlogcollector service after making above changes. |