000036008 - How to reload parsers on RSA NetWitness Platform Decoders without service restart

Document created by RSA Customer Support Employee on Feb 12, 2018Last modified by RSA Customer Support Employee on Aug 27, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036008
Applies ToRSA Product Set: NetWitness Logs and Network
RSA Product/Service Type: Log Decoders & Network/Packet Decoders
RSA Version/Condition: 10.6.x & 11.x
Platform: CentOS6 & CentOS7
 
Issue- This article is useful in the case of applying a new version of a parser or custom parser and getting it loaded into the memory without restarting the Network Decoder or Log Decoder services which would interrupt normal capture operations.
- This is applicable for parsers such as: Lua parsers, Flex parsers (now deprecated), Log device parsers on the Log Decoder and other parser types on decoders such as GeoIP & Snort Parsers.
TasksNote: For the following steps, a log decoder service will be used as the example. These steps would equally apply to a Network Decoder service (formerly referred to as a Packet Decoder service).
  • Access to your RSA NetWitness UI console with an account which has a role which has the parsers.manage permission on the Log Decoder service.
  • Navigate to the explore page of your Log Decoder service. This will show a tree-like series of nodes which can be thought of as directories.
  • Expand the "decoder" directory to reveal the parsers directory.
  • Right-click on the "parsers" directory then left-click on "Properties".
  • From the drop-down menu in the bottom panel, select the "reload" method as depicted in the RSA NetWitness 10.6.x screenshot below and press the "Send" button. 
    User-added image
     
  • The "Response Output" (under "Message Help") should return:

    The parsers have been reloaded

  • This process reloads all parsers from disk for the Log Decoder service for use in parsing new sessions.

Below is a sample of logs taken from a Log Decoder SSH session to explain what happens in the background:
 

Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Decoder] [audit] User admin (session 5638, 192.168.2.101:43832) has issued a parser reload
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loaded 2 ip entries from /etc/netwitness/ng/envision/etc/ipaddr.tab
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loaded 260 ecategories from /etc/netwitness/ng/envision/etc/ecat.ini
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loaded 359 mappings from /etc/netwitness/ng/envision/etc/table-map.xml
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loading device definitions '/etc/netwitness/ng/envision/etc/devices'
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] File netwitness content loaded
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] File cef content loaded
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Files have been disabled 'accurev,actiancevantage,actividentity,aforecloudlink,airdefense,airmagnet,airtightmc,aix,alcatelomniswitch,apache,apachetomcat,apconintellapatch,appsecdbprotect,arborpeakflow,arborpeakflowsp,artifactory,arubaairwave,arubacppm,arubanetworks,astarosg,avectopg,aventail,avocentkvm,barracudasf,barracudawaf,beewarewaf,bigfix,bigip,bigipafm,bigipapm,bigipasm,bit9,blackberryes,bluecat,bluecoatdirector,bluecoatproxyav,bmcremedyitsm,brocadeswitch,cacheflowelff,caitm,casiteminder,celerra,checkpointfw1,ciscoace,ciscoacsxp,ciscoasa,ciscoidsxml,ciscoiportesa,ciscoiportwsa,ciscolms,ciscomars,ciscomeraki,ciscomse,cisconac,cisconcm,cisconxos,ciscopix,ciscorouter,ciscosecagent,ciscosecureacs,ciscoucs,ciscowcs,ciscowlc,ciscoworks,citrixag,citrixns,citrixxa,clariion,clouderanavigator,courionpc,crossbeamc,cyberark,cyberguardclassic,cyberoamutm,damballa,delldrac,dellswitch,detectit,dragonids,eeyeblink,eeyerem,eeyeretina,emcavamar,emcdatadomain,emcdocumentum,emcdpa,emcionixuim,emcisilon,emcnetworker,emcvplex,enterasysswitch,entercept,enterpriseitsfne,entrustig,epolicy,esrs,evidian,fabricos,fairwarningpm,fireeyewebmps,firepass,forescoutcounteract,forticlientendpoint,fortinet,fortinetfortimail,fortinetmgr,fsecureav,gecea,gepacs,git,greenplum,greenplumhd,gseftserver,guardium,hpnonstopserver,hpprocurvesw,hpux,huaweivrp,hytrust,ibmacf2,ibmdb2,ibmicsf,ibmidms,ibmims,ibmmainframeipsec,ibmmfzossyslog,ibmracf,ibmtamesso,ibmtamws,ibmtim,ibmtopsecret,ibmwebsphere,ibmwebspheredp,ibmwebspheremq,impervawaf,infobloxnios,intrushield,invincea,ironmail,iseries,iss,j4carehcc,jboss,jenkins,juniperic,junipersbr,junipervpn,juniperwlc,junosrouter,kasperskyav,kvm,landesk,linux_snare,lotusdomino,lumensionemss,manageenginenetflow,mazuprofiler,mcafeedlp,mcafeeds,mcafeeendpoint,mcafeefoundscan,mcafeeic,mcafeenac,mcafeepa,mcafeereconnex,mcafeevirusscan,mcafeewg,mckessonhpf,microdasys_xsg,microsoftiis,mom,msacs,msdhcp,msexchange,msforefrontcs,msfuag,msias,msisa,msnap,mssccm,mssharepoint,mssql,msurlscan,mswsus,mysql,ncircleccm,nessusvs,netapp,netasqutm,netscreen,netscreenidp,netwitnessspectrum,nexpose,nfdump,nfrnids,nokiaipso,nortelvpn,nortelwebos,novelledirectory,nsm,openvms,oracle,oracleam,oracleav,oracledv,oracleid,oracleim,oracleiplanetweb,oracleweblogic,paloaltonetworks,perforce,postgresql,proofpoint,radiator,radwaredp,rhlinux,riverbedsteelhead,rsaaah,rsaaaop,rsaaccessmanager,rsaacesrv,rsaarcher,rsaaveksa,rsacm,rsadlp,rsaecat,rsafim,rsaflow,rsakeymanager,rsaviaaccess,rsavlr,safendprotector,safenethsm,sap,secudesi,sidewinder,silverpeakwan,silvertailforensics,snort,solaris,solarisbsm,sonicwall,sonicwallemail,sonicwallgms,sophos,squid,stash,stealthwatch,sunoneldap,sybasease,symantecav,symantecbrightmail,symanteccsp,symantecdlp,symantecintruder,symmetrix,teradata,tippingpoint,trendmicro,trendmicrods,trendmicrodsa,trendmicroimss,trendmicroiwss,trendmicroossec,trendmicroscanmail,trendmicrosp,tripwire,tufinsecuretrack,unboundidids,varonisprobe,vmware_esx_esxi,vmware_nsx,vmware_vc,vmware_vcac,vmware_vcloud,vmware_vco,vmware_vcops,vmware_view,vmware_vshield,voltagesecuredata,voyence,vssmonitoring,websense,websenseds,whatsupgold,winevent_er,winevent_nic,winevent_snare,zenprisemdm,zscalernss'
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Log analysis initialized: 2 files; 7 headers; 21 groups; 23 messages
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Parse] [info] Parser manager created parsers 'SYSTEM,NETWORK,ALERTS,GeoIP,Log Parser,LogTokens,IPSCAN,IPV6SCAN,URLSCAN,DOMAINSCAN,EMAILSCAN,INTERNETTIMESTAMPSCAN,SYSLOGTIMESTAMPSCAN,FeedParser,'
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Parse] [info] Lexical Analyzer for Parsers built using 18 tokens and 242032 bytes of memory
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Parse] [info] Parsers pre-allocated 192 bytes of memory


 
Notes- When pushing parsers from RSA Live this automatically triggers a parser reload in Log & Network Decoders.

Reloading Feeds
You can reload feeds Log & Network Decoders in much the same way using the "feed" instead of the "reload" method.
  • Navigate to the explore page of your Log Decoder service.
  • Expand the "decoder" directory to reveal the parsers directory.
  • Right-click on the "parsers" directory then left-click on "Properties".
  • From the drop-down menu in the bottom panel select the "feed" method.

    op=reload

  • Enter in the "Parameters":
  • Press the "Send" button.

Attachments

    Outcomes