|Applies To||RSA Product Set: NetWitness Logs & Packets, Security Analytics|
RSA Product/Service Type: Log Decoder, Log Collector
RSA Version/Condition: 10.6.4.0
|Issue||After upgrading the RSA Security Analytics environment to 10.6.4.0, it is noticed that logs are not parsed by the custom parsers.|
In Investigation, sessions appear with device.type having the default parser name instead of the custom one.
For example, device.type appear as mcafeewg when the custom_mcafeewg parser is enabled.
Log Decoder's Config page shows the custom parsers are enabled while the defaults are disabled or completely removed.
Checking /etc/netwitness/ng/envision/etc/devices folder also confirms that the custom parsers are in the correct folders.
|Cause||In 10.6.4, if logs are collected via typespec files, the parser name is embedded in the typespec file which is found under /etc/netwitness/ng/logcollection/content/collection/file.|
The example below is from the /etc/netwitness/ng/logcollection/content/collection/file/webgateway.xml file.
This is where the device.type stems from not from the ini file under /etc/netwitness/ng/envision/etc/devices/<parser>.
This also result the logs to be parsed by the device parser with the matching name (e.g. mcafeewg). Hence, the unexpected results are returned.
|Resolution||In order to resolve the issue, modify the parser name surrounded by <parser> and </parser> in /etc/netwitness/ng/logcollection/content/collection/file/<parser_name>.xml.|
For example, for a custom device parser named custom_mcafeewg to parse McAfee Web Gateway logs:
Restart the Log Collector and Log Decoder services after making the changes.