Decoder: Use Custom Parsers

Document created by RSA Information Design and Development on Mar 22, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 3Show Document
  • View in full screen mode
  

This topic provides instructions for using custom parsers in RSA Security Analytics.

RSA Security Analytics has the ability to upload parsers from your local system and delete these parsers. 

Procedures

Upload Parsers to a Decoder or Log Decoder

The Upload option in the Service Config view > Parsers tab displays the Upload Parsers dialog, in which you can manage the uploading of parsers to a Decoder or Log Decoder. In the File grid, you prepare a list of parsers for uploading. You can add files from a directory structure, and delete files from the grid if you decide that you don't want to upload a particular file. When the list is ready, clicking Upload starts the upload process.

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and Actions menu cropped > View > Config.
    The Config view for the selected service is displayed.
  3. Click the Parsers tab.
  4. Click IconFeedUpload.png.
    The Upload Parsers dialog is displayed.
    104UploadParsers.png
  5. Click Icon-Add.png .  
    A file selection dialog is displayed.
  6. Select the .flex, .parser, and .lua files to be updated, and click Open.  
    The dialog closes, and the selected files are displayed in the File grid.
    104UplParsAddedFile.png
  7. Click Upload.
    The Upload Job grid shows the progress of the upload jobs with each job representing a file being uploaded.
    104UplParsUplFile.png
  8. Use any of the Upload grid tools to manage the upload of selected jobs: pause and resume, cancel, and delete.
    Once a job is complete, it is deployed on the Decoder and listed with the deployed parsers in Parsers tab.

Manage Upload Jobs

You can use any of the Upload grid tools to manage the upload of selected jobs: pause, resume, cancel, and delete.

  • To cancel uploading a set of parsers while the upload is in queue or progress, click Icon-Cancel.png.
  • To pause uploading a set of parsers, if the upload is not yet complete, click Icon-Pause.png.
  • To resume uploading a set of parsers after a pause, click Icon-Resume.png.
  • To delete an upload job, click ic-del2.png.

Delete Deployed Parsers

The Delete option in the Service Config view > Parsers tab provides a way to delete deployed parsers from a Decoder or Log Decoder. Parsers can be added and removed while a Decoder is running without affecting capture.

Note: Unless otherwise stated, any reference to Decoders applies to Log Decoders as well.

To delete a parser from a Decoder:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and Actions menu cropped > View > Config.
    The Services Config view for the selected service is displayed.
  3. Click the Parsers tab.
    SrvCfgParsTb.png
  4. In the Parsers tab, select one or more parsers to delete.
  5. Click 104DeleteIcon.png.
    A dialog requests confirmation that you want to delete the parsers.
  6. If you want to delete the parsers, click Yes.
    The parsers are removed from the Decoder immediately.
Previous Topic:Edit a Custom Feed
You are here
Table of Contents > Additional Procedures > Configure Feeds and Parsers > Use Custom Parsers

Attachments

    Outcomes