Decoder: Use Custom Parsers

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

RSA NetWitness Suite has the ability to upload parsers from your local system and delete these parsers. 

Upload Parsers to a Decoder or Log Decoder

The Upload option in the Service Config view > Parsers tab displays the Upload Parsers dialog, in which you can manage the uploading of parsers to a Decoder or Log Decoder. In the File list, you prepare a list of parsers for uploading. You can add files from a directory structure, and delete files from the list if you decide that you don't want to upload a particular file. When the list is ready, clicking Upload starts the upload process.

  1. Go to ADMIN > Services, select a service, and Actions menu > View > Config.
    The Config view for the selected service is displayed.
  2. Click the Parsers tab.
  3. Click The Feed Upload icon.
    The Upload Parsers dialog is displayed.
    This is an example of the Upload Parsers dialog.
  4. Click Add icon .  
    A file selection dialog is displayed.
  5. Select the .flex, .parser, and .lua files to be updated, and click Open.  
    The dialog closes, and the selected files are displayed in the File list.
    This is an example of the Upload Parsers dialog.
  6. Click Upload.
    The Upload Job grid shows the progress of the upload jobs with each job representing a file being uploaded.
    This is the Upload Parsers dialog.
  7. Use any of the Upload grid tools to manage the upload of selected jobs: pause and resume, cancel, and delete.
    Once a job is complete, it is deployed on the Decoder and listed with the deployed parsers in Parsers tab.

Manage Upload Jobs

You can use any of the Upload grid tools to manage the upload of selected jobs: pause, resume, cancel, and delete.

  • To cancel uploading a set of parsers while the upload is in queue or progress, click The cancel icon.
  • To pause uploading a set of parsers, if the upload is not yet complete, click Pause icon.
  • To resume uploading a set of parsers after a pause, click Resume icon.
  • To delete an upload job, click The delete icon.

Delete Deployed Parsers

The Delete option in the Service Config view > Parsers tab provides a way to delete deployed parsers from a Decoder or Log Decoder. Parsers can be added and removed while a Decoder is running without affecting capture.

Note: Unless otherwise stated, any reference to Decoders applies to Log Decoders as well.

To delete a parser from a Decoder:

  1. Go to ADMIN > Services, elect a service, and Actions menu > View > Config.
    The Services Config view for the selected service is displayed.
  2. Click the Parsers tab.

  3. In the Parsers tab, select one or more parsers to delete.
  4. Click The delete icon.
    A dialog requests confirmation that you want to delete the parsers.
  5. If you want to delete the parsers, click Yes.
    The parsers are removed from the Decoder immediately.
You are here
Table of Contents > Configure Feeds and Parsers > Use Custom Parsers

Attachments

    Outcomes