Log Parser Customize: Appendix B - Move Log Parsers to Production

Document created by RSA Information Design and Development on Jul 25, 2018Last modified by RSA Information Design and Development on Sep 20, 2018
Version 3Show Document
  • View in full screen mode
 

You may have a development or test environment where you work on new and updated log parsers and log parser rules. In this case, at some point you need to move your new and updated log parsers into your production environment. This topic describes how to do this.

To move custom log parsers and log parser rules from development to production environment:

  1. On the development system, do the following:

    1. SSH to the NetWitness Server
    2. Export the log parser information by running the following command:

      mongodump --host localhost --port 27017 --db "content-server" --username "deploy_admin" --password "netwitness" --authenticationDatabase admin

    3. Copy the "dump" folder to your production NetWitness Server.
  2. On the production system, do the following:

    1. SSH to the NetWitness Server
    2. Drop the content-server table from Mongo by running below commands in the order listed:

      mongo --username deploy_admin --password netwitness --authenticationDatabase admin

      use content-server

      db.logDeviceParser.drop()

      db.patternFormatType.drop()

      exit

    3. Run the following restore command:

      mongorestore --host localhost --port 27017 --db "content-server" --username "deploy_admin" --password "netwitness" --authenticationDatabase admin PATH_TO_DUMP_FOLDER

      Make sure to replace PATH_TO_DUMP_FOLDER with the actual path to the "dump" folder.

    4. Restart the content-server by running the following command:

      systemctl restart rsa-nw-content-server

You are here
Table of Contents > Move Log Parser Rules to Production

Attachments

    Outcomes