000036008 - How to reload new parsers without LogDecoder service restart in RSA NetWitness

Document created by RSA Customer Support Employee on Feb 12, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036008
Applies ToRSA Product Set: NetWitness Logs and Packets
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.6.x.x & 11.0
Platform: CentOS6 & CentOS7
 
Issue- This article is useful in the case of applying a new RSA OOTB parser or custom parser and getting it loaded into the memory without restarting the LogDecoder service or interrupting the normal operations.
- This is applicable for both Lua & Log parsers. 

 
Tasks- Access to your RSA NetWtiness UI console with an "admin" account.
- Navigate to the explore page of your LogDecoder service.
- Expand the "decoder" directory > Do a right-click on "parsers" directory then click "properties".
- From the lower drop-down menu select "reload" as depicted below:
 User-added image

- The REST API interface of the LogDecoder service will start to "Re-load" whole enabled parsers [old plus new] to the memory of the appliance to be used be the LogDecoder service engine for required parsing and meta-key / meta-value extraction. 

Below is a sample of logs taken from the LogDecoder SSH session to explain what happens in the background:
 

Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Decoder] [audit] User admin (session 5638, 192.168.2.101:43832) has issued a parser reload
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loaded 2 ip entries from /etc/netwitness/ng/envision/etc/ipaddr.tab
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loaded 260 ecategories from /etc/netwitness/ng/envision/etc/ecat.ini
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loaded 359 mappings from /etc/netwitness/ng/envision/etc/table-map.xml
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Loading device definitions '/etc/netwitness/ng/envision/etc/devices'
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] File netwitness content loaded
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] File cef content loaded
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Files have been disabled 'accurev,actiancevantage,actividentity,aforecloudlink,airdefense,airmagnet,airtightmc,aix,alcatelomniswitch,apache,apachetomcat,apconintellapatch,appsecdbprotect,arborpeakflow,arborpeakflowsp,artifactory,arubaairwave,arubacppm,arubanetworks,astarosg,avectopg,aventail,avocentkvm,barracudasf,barracudawaf,beewarewaf,bigfix,bigip,bigipafm,bigipapm,bigipasm,bit9,blackberryes,bluecat,bluecoatdirector,bluecoatproxyav,bmcremedyitsm,brocadeswitch,cacheflowelff,caitm,casiteminder,celerra,checkpointfw1,ciscoace,ciscoacsxp,ciscoasa,ciscoidsxml,ciscoiportesa,ciscoiportwsa,ciscolms,ciscomars,ciscomeraki,ciscomse,cisconac,cisconcm,cisconxos,ciscopix,ciscorouter,ciscosecagent,ciscosecureacs,ciscoucs,ciscowcs,ciscowlc,ciscoworks,citrixag,citrixns,citrixxa,clariion,clouderanavigator,courionpc,crossbeamc,cyberark,cyberguardclassic,cyberoamutm,damballa,delldrac,dellswitch,detectit,dragonids,eeyeblink,eeyerem,eeyeretina,emcavamar,emcdatadomain,emcdocumentum,emcdpa,emcionixuim,emcisilon,emcnetworker,emcvplex,enterasysswitch,entercept,enterpriseitsfne,entrustig,epolicy,esrs,evidian,fabricos,fairwarningpm,fireeyewebmps,firepass,forescoutcounteract,forticlientendpoint,fortinet,fortinetfortimail,fortinetmgr,fsecureav,gecea,gepacs,git,greenplum,greenplumhd,gseftserver,guardium,hpnonstopserver,hpprocurvesw,hpux,huaweivrp,hytrust,ibmacf2,ibmdb2,ibmicsf,ibmidms,ibmims,ibmmainframeipsec,ibmmfzossyslog,ibmracf,ibmtamesso,ibmtamws,ibmtim,ibmtopsecret,ibmwebsphere,ibmwebspheredp,ibmwebspheremq,impervawaf,infobloxnios,intrushield,invincea,ironmail,iseries,iss,j4carehcc,jboss,jenkins,juniperic,junipersbr,junipervpn,juniperwlc,junosrouter,kasperskyav,kvm,landesk,linux_snare,lotusdomino,lumensionemss,manageenginenetflow,mazuprofiler,mcafeedlp,mcafeeds,mcafeeendpoint,mcafeefoundscan,mcafeeic,mcafeenac,mcafeepa,mcafeereconnex,mcafeevirusscan,mcafeewg,mckessonhpf,microdasys_xsg,microsoftiis,mom,msacs,msdhcp,msexchange,msforefrontcs,msfuag,msias,msisa,msnap,mssccm,mssharepoint,mssql,msurlscan,mswsus,mysql,ncircleccm,nessusvs,netapp,netasqutm,netscreen,netscreenidp,netwitnessspectrum,nexpose,nfdump,nfrnids,nokiaipso,nortelvpn,nortelwebos,novelledirectory,nsm,openvms,oracle,oracleam,oracleav,oracledv,oracleid,oracleim,oracleiplanetweb,oracleweblogic,paloaltonetworks,perforce,postgresql,proofpoint,radiator,radwaredp,rhlinux,riverbedsteelhead,rsaaah,rsaaaop,rsaaccessmanager,rsaacesrv,rsaarcher,rsaaveksa,rsacm,rsadlp,rsaecat,rsafim,rsaflow,rsakeymanager,rsaviaaccess,rsavlr,safendprotector,safenethsm,sap,secudesi,sidewinder,silverpeakwan,silvertailforensics,snort,solaris,solarisbsm,sonicwall,sonicwallemail,sonicwallgms,sophos,squid,stash,stealthwatch,sunoneldap,sybasease,symantecav,symantecbrightmail,symanteccsp,symantecdlp,symantecintruder,symmetrix,teradata,tippingpoint,trendmicro,trendmicrods,trendmicrodsa,trendmicroimss,trendmicroiwss,trendmicroossec,trendmicroscanmail,trendmicrosp,tripwire,tufinsecuretrack,unboundidids,varonisprobe,vmware_esx_esxi,vmware_nsx,vmware_vc,vmware_vcac,vmware_vcloud,vmware_vco,vmware_vcops,vmware_view,vmware_vshield,voltagesecuredata,voyence,vssmonitoring,websense,websenseds,whatsupgold,winevent_er,winevent_nic,winevent_snare,zenprisemdm,zscalernss'
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [LogParse] [info] Log analysis initialized: 2 files; 7 headers; 21 groups; 23 messages
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Parse] [info] Parser manager created parsers 'SYSTEM,NETWORK,ALERTS,GeoIP,Log Parser,LogTokens,IPSCAN,IPV6SCAN,URLSCAN,DOMAINSCAN,EMAILSCAN,INTERNETTIMESTAMPSCAN,SYSLOGTIMESTAMPSCAN,FeedParser,'
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Parse] [info] Lexical Analyzer for Parsers built using 18 tokens and 242032 bytes of memory
Feb  9 15:11:24 ldecoder NwLogDecoder[3145]: [Parse] [info] Parsers pre-allocated 192 bytes of memory


 

Attachments

    Outcomes