Skip navigation
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Log Parser Customize:Troubleshooting/Limitations

Document created by RSA Information Design and Development Employee on Jul 25, 2018Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 10Show Document
  • View in full screen mode
 

This section describes some common issues that can occur when you customize log parsers and log parser rules.

Troubleshooting

             

You do not see any log parsing against a newly created parser.

You may have forgotten to map the new parser. To map a parser, go to (Admin) > Event Sources > Discovery tab. See the "Discovery Tab" topic in the Event Source Management Guide for details.

Deployment fails

If you click Deploy to deploy a new or updated log parser, and it fails, you should check the log for your reference log decoder. You access this log in the following location on the NetWitness Server:

/var/log/netwitness/content-server/content-server.log

Delete a Log Parser Manually

If you have any issues when you attempt to remove a Log Parser through the UI, you can manually delete a log parser by using NwConsole.

To delete a log parser that has been deployed:

  1. Access the RSA NetWitness Console, using the NwConsole command. For details, see "Access NwConsole and Help" in the NwConsole User Guide.
  2. Run the following command:

    [localhost:50002] /decoder/parsers> send . delete file=filename.xml type=device

    where filename is the name of the XML file for the log parser. For example, to delete the log parser for Oracle Access Manager, run the following command:

    [localhost:50002] /decoder/parsers> send . delete file=oracleam.xml type=device

Notes about the log parser filename:

  • Log parser files are located on the Log Decoder in the following path:

    /etc/netwitness/ng/envision/etc/devices

  • Each log parser has its own sub-folder. For example, the Cisco ASA parser files are in the following folder:

    /etc/netwitness/ng/envision/etc/devices/ciscoasa

  • Some log parser file names begin with v20_, while others do not—the only way to tell is by examining the devices folders. For Cisco ASA, the log parser file name is v20_ciscoasamsg.xml. However, in the previous command, when you specify the filename, do not use the v20_ prefix.

NwLogPlayer

NwLogPlayer is a troubleshooting tool that simulates syslog traffic. NwLogPlayer.exe is a command line utility located on the Log Decoder host in /usr/bin.

At the command line, type nwlogplayer.exe -h to list the available options, as reproduced here:

                                                                                   
OptionDescription
--priority arg set log priority level
-h [ --help ]  show this message
-f [ --file ] arg (=stdin) input message; defaults to stdin
-d [dir ] arg input directory
-s [ --server ] arg (=localhost) remote server; defaults to localhost
-p [ --port ] arg (=514) remote port; defaults to 514
-r [ --raw ] arg (=0) Determines raw mode.
  • 0 = add priority mark (default)
  • 1= File contents will be copied line by line to the server.
  • 3 = auto detect
  • 4 = enVision stream
  • 5 = binary object
-m [ --memory ] arg Speed test mode. Read up to 1 Megabyte of messages from the file content and replays.
--rate arg Number of events per second. This argument has no effect if rate > eps that the program can achieve in continuous mode.
--maxcnt arg maximum number of messages to be sent
-c [ --multiconn ] multiple connection
-t [ --time ] arg simulate time stamp time; format is yyyy-m-d-hh:mm:ss
-v [ --verbose ]  If true, output is verbose 
--ip arg simulate an IP tag
--ssl use SSL to connect
--certdir arg OpenSSL certificate authority directory
--clientcert arg use this PEM-encoded SSL client certificate 
--udp send in UDP

Limitations

Please note the following limitations when using the Log Parser Rules tab:

  • Log Decoder must be at version 11.2: For the functionality in the Log Parser Rules tab to work, your installation must have at least one Log Decoder running NetWitness version 11.2 or later.
  • JSON Mapping: Log Decoder must be at version 11.5: For the JSON Mapping Beta functionality to work, your installation must have at least one Log Decoder running NetWitness version 11.5 or later.
  • Mixed Mode: If any Log Decoders are at version 11.2 or later, and the NetWitness Server is at version 11.2 or later, the Log Decoders will have parseall rules enabled by default, and thus will begin to parse logs accordingly. However, the 11.2 NetWitness Server does not support Log Decoders with versions less than 11.2, so the Log Parser Rules tab in the UI stays blank.
  • Meta key fields list refresh: If any new meta keys are added to the Log Decoder, they do not appear in the list of Meta in the Log Parser Rules tab immediately. They appear automatically after 24 hours, or you can restart the content server service to view them.
  • Field Restrictions: Note the following field restrictions:

    • Rule name must be 64 characters or fewer.
    • Parser Name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers.
    • Parser Display Name must be 64 characters or fewer, and cannot match any other parser display name.
    • Regex Expression must be 1-255 characters, and a valid regex (closed capture list allowed).
    • Tags cannot be duplicates.
  • Deploy only to 11.2 Log Decoders: The Deploy operation only deploys log parsers to version 11.2 or later Log Decoders.
  • Cannot Remove Deployed Parsers: Once deployed, you cannot delete a log parser using the UI.
  • See log for errors: Refer to content-server logs for more details on deploy failure details and log decoder names.

You are here
Table of Contents > Troubleshooting and Limitations

Attachments

    Outcomes