Decoder: Step 3. Enable and Disable Log Parsers

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells administrators how to enable or disable log parsers on a Log Decoder.

This procedure is useful to see which log parsers have been downloaded and deployed from Live, and which of these are enabled.

You should only download and deploy the parsers you need for the following reasons:

  • There is an impact on performance as you increase the number of deployed parsers.
  • The more parsers you deploy, the more meta created, which impacts data retention
  • Not having extra (unnecessary) log parsers deployed reduces the potential for misidentification of messages.

Prerequisites

You must have previously deployed log parsers from Live. See the Find and Deploy Live Resources topic in Live Services Management for details.

Procedure

To enable or disable an event source parser, or to view the status for each parser:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Decoder, and from the Actions menu (Actions menu cropped), choose View > Config.
  3. In the Service Parsers Configuration panel, search for your event source.
  4. In the Config Value column, note the current status for your parser.
    • If the parser is already selected, it is enabled.
    • If the parser is not selected, it is currently disabled.

You can toggle the value for any individual log parser. Alternatively, you can select Enable All or Disable All to update the status for all of your log parsers at once.

  1. Click Apply.

When you click Apply, note that all parsers are reloaded into Security Analytics.

Result

The status for each log parser is updated, based on your selections.

You are here
Table of Contents > Required Procedures > Step 3. Enable and Disable Log Parsers

Attachments

    Outcomes