Log Parser Customize:Troubleshooting/Limitations

Document created by RSA Information Design and Development on Jul 25, 2018Last modified by RSA Information Design and Development on Sep 20, 2018
Version 4Show Document
  • View in full screen mode
 

This section describes some common issues that can occur when you customize log parsers and log parser rules.

Troubleshooting

             

You do not see any log parsing against a newly created parser.

You may have forgotten to map the new parser. To map a parser, go to Admin > Event Sources > Discovery tab. See the "Discovery Tab" topic in the Event Source Management Guide for details.

Deployment fails

If you click Deploy to deploy a new or updated log parser, and it fails, you should check the log for your reference log decoder. You access this log in the following location on the NetWitness Server:

/var/log/netwitness/content-server/content-server.log

Limitations

Please note the following limitations when using the Log Parser Rules tab:

  • Log Decoder must be at version 11.2: For the functionality in the Log Parser Rules tab to work, your installation must have at least one Log Decoder running NetWitness version 11.2.
  • Mixed Mode: If any Log Decoders are at version 11.2, and the NetWitness Server is at version 11.2, the Log Decoders will have parseall rules enabled by default, and thus will begin to parse logs accordingly. However, the 11.2 NetWitness Server does not support Log Decoders with versions less than 11.2, so the Log Parser Rules tab in the UI stays blank.
  • Meta key fields list refresh: If any new meta keys are added to the Log Decoder, they do not appear in the list of Meta in the Log Parser Rules tab immediately. They appear automatically after 24 hours, or you can restart the content server service to view them.
  • Field Restrictions: Note the following field restrictions:

    • Rule name must be 64 characters or fewer.
    • Parser Name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers.
    • Parser Display Name must be 64 characters or fewer, and cannot match any other parser display name.
    • Regex Expression must be 1-255 characters, and a valid regex (closed capture list allowed).
    • Tags cannot be duplicates.
  • Deploy only to 11.2 Log Decoders: The Deploy operation only deploys log parsers to version 11.2 Log Decoders.
  • Cannot Remove Deployed Parsers: Once deployed, you cannot delete a log parser using the UI.
  • See log for errors: Refer to content-server logs for more details on deploy failure details and log decoder names.
You are here
Table of Contents > Troubleshooting and Limitations

Attachments

    Outcomes