000035526 - Logs are no longer parsed by custom parsers after upgrading to RSA Security Analytics

Document created by RSA Customer Support Employee on Oct 6, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035526
Applies ToRSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Log Decoder, Log Collector
RSA Version/Condition:
IssueAfter upgrading the RSA Security Analytics environment to, it is noticed that logs are not parsed by the custom parsers.
In Investigation, sessions appear with device.type having the default parser name instead of the custom one.
For example, device.type appear as mcafeewg when the custom_mcafeewg parser is enabled.
Log Decoder's Config page shows the custom parsers are enabled while the defaults are disabled or completely removed.
Checking /etc/netwitness/ng/envision/etc/devices folder also confirms that the custom parsers are in the correct folders.
CauseIn 10.6.4, if logs are collected via typespec files, the parser name is embedded in the typespec file which is found under /etc/netwitness/ng/logcollection/content/collection/file.
The example below is from the /etc/netwitness/ng/logcollection/content/collection/file/webgateway.xml file.


This is where the device.type stems from not from the ini file under /etc/netwitness/ng/envision/etc/devices/<parser>.
This also result the logs to be parsed by the device parser with the matching name (e.g. mcafeewg).   Hence, the unexpected results are returned.
ResolutionIn order to resolve the issue, modify the parser name surrounded by <parser> and </parser> in /etc/netwitness/ng/logcollection/content/collection/file/<parser_name>.xml.
For example, for a custom device parser named custom_mcafeewg to parse McAfee Web Gateway logs:




Restart the Log Collector and Log Decoder services after making the changes.