Decoder: Enable and Disable Parsers and Log Parsers

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

Administrators can see which parsers have been downloaded from Live and deployed on a Decoder or Log Decoder, see which of these have been enabled, and enable or disable parsers and log parsers.

The following figure illustrates commonly used settings on a Decoder. For a quick basic setup with only the required steps, see Decoder and Log Decoder Quick Setup.

Decoder configuration workflow, with Enable and Disable Parsers higlighted

You should only download and deploy the parsers you need for the following reasons:

  • There is an impact on performance as you increase the number of deployed parsers.
  • The more parsers you deploy, the more meta data created, which impacts data retention
  • Not having extra (unnecessary) log parsers deployed reduces the potential for misidentification of messages.

The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates. These are the options in the Parsers Configuration panel.

                       
OptionDescription
Enable All
Disable All
These options provide a way to quickly select either all parsers or no parsers.
Name The names of parsers available to the Decoder. A plus sign indicates that the metadata generated by the parser is configurable. Clicking the plus sign displays the metadata that the parser can create.
Config Value A drop-down list changes the setting for the parser or metadata to Enabled, Disabled, or Transient.
  • When Enabled, the Decoder is using the parser to filter traffic.
  • When Transient, the Decoder is using the parser to filter traffic, and the generated metadata is not stored on disk. The transient metadata is available in memory to additional content (that is, parsers, feeds, and application rules) on that Decoder. This helps administrators to protect certain data and is usually done as part of a data privacy plan (see the Data Privacy Management Guide).
  • When Disabled, the Decoder is not using the parser.
If the generated metadata for the parser is configurable, clicking the plus sign to expand the parser displays configurable meta keys and the same drop-down list selects the meta key the parser will create.

Note: For a Log Decoder You must have previously deployed log parsers from Live, See the Find and Deploy Live Resources topic in the Live Services Management Guide for details. Go to the Master Table of Contents for Version 11.0 to find NetWitness Suite 11.0 documents.

To enable or disable an parser, or to view the status for each parser:

  1. Go to ADMIN > Services.
  2. In the Administration Services view, select a Log Decoder or a Decoder, and The actions menu >View > Config.
  3. In the Parsers Configuration panel, look for the Decoder parser or the Log Decoder event source parser.
    This is an example of the Parsers Configuration section with a Config Value drop-down open.
  4. In the Config Value column, note the current status for your parser.

You can update the status of any individual parser by selecting its Config Value and selecting Disabled, Transient, or Enabled from the drop-down menu. Alternatively, you can select Enable All or Disable All to update the status for all of your log parsers at once.

  1. Click Apply.

When you click Apply, note that all parsers are reloaded into NetWitness Suite. The status for each parser is updated, based on your selections.

You are here
Table of Contents > Configure Common Settings on a Decoder > Enable and Disable Parsers and Log Parsers

Attachments

    Outcomes