This section describes some common issues that can occur when you customize log parsers and log parser rules.
You do not see any log parsing against a newly created parser.
If you click Deploy to deploy a new or updated log parser, and it fails, you should check the log for your reference log decoder. You access this log in the following location on the NetWitness Server:
If you have any issues when you attempt to remove a Log Parser through the UI, you can manually delete a log parser by using NwConsole.
To delete a log parser that has been deployed:
- Access the RSA NetWitness Console, using the NwConsole command. For details, see "Access NwConsole and Help" in the NwConsole User Guide.
Run the following command:
[localhost:50002] /decoder/parsers> send . delete file=filename.xml type=device
where filename is the name of the XML file for the log parser. For example, to delete the log parser for Oracle Access Manager, run the following command:
[localhost:50002] /decoder/parsers> send . delete file=oracleam.xml type=device
Notes about the log parser filename:
Log parser files are located on the Log Decoder in the following path:
Each log parser has its own sub-folder. For example, the Cisco ASA parser files are in the following folder:
- Some log parser file names begin with v20_, while others do not—the only way to tell is by examining the devices folders. For Cisco ASA, the log parser file name is v20_ciscoasamsg.xml. However, in the previous command, when you specify the filename, do not use the v20_ prefix.
NwLogPlayer is a troubleshooting tool that simulates syslog traffic. NwLogPlayer.exe is a command line utility located on the Log Decoder host in /usr/bin.
At the command line, type nwlogplayer.exe -h to list the available options, as reproduced here:
|--priority arg||set log priority level|
|-h [ --help ]||show this message|
|-f [ --file ] arg (=stdin)||input message; defaults to stdin|
|-d [dir ] arg||input directory|
|-s [ --server ] arg (=localhost)||remote server; defaults to localhost|
|-p [ --port ] arg (=514)||remote port; defaults to 514|
|-r [ --raw ] arg (=0)||Determines raw mode. |
|-m [ --memory ] arg||Speed test mode. Read up to 1 Megabyte of messages from the file content and replays.|
|--rate arg||Number of events per second. This argument has no effect if rate > eps that the program can achieve in continuous mode.|
|--maxcnt arg||maximum number of messages to be sent|
|-c [ --multiconn ]||multiple connection|
|-t [ --time ] arg||simulate time stamp time; format is yyyy-m-d-hh:mm:ss|
|-v [ --verbose ]||If true, output is verbose|
|--ip arg||simulate an IP tag|
|--ssl||use SSL to connect|
|--certdir arg||OpenSSL certificate authority directory|
|--clientcert arg||use this PEM-encoded SSL client certificate|
|--udp||send in UDP|
Please note the following limitations when using the Log Parser Rules tab:
- Log Decoder must be at version 11.2: For the functionality in the Log Parser Rules tab to work, your installation must have at least one Log Decoder running NetWitness version 11.2 or later.
- JSON Mapping: Log Decoder must be at version 11.5: For the JSON Mapping Beta functionality to work, your installation must have at least one Log Decoder running NetWitness version 11.5 or later.
- Mixed Mode: If any Log Decoders are at version 11.2 or later, and the NetWitness Server is at version 11.2 or later, the Log Decoders will have parseall rules enabled by default, and thus will begin to parse logs accordingly. However, the 11.2 NetWitness Server does not support Log Decoders with versions less than 11.2, so the Log Parser Rules tab in the UI stays blank.
- Meta key fields list refresh: If any new meta keys are added to the Log Decoder, they do not appear in the list of Meta in the Log Parser Rules tab immediately. They appear automatically after 24 hours, or you can restart the content server service to view them.
Field Restrictions: Note the following field restrictions:
- Rule name must be 64 characters or fewer.
- Parser Name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers.
- Parser Display Name must be 64 characters or fewer, and cannot match any other parser display name.
- Regex Expression must be 1-255 characters, and a valid regex (closed capture list allowed).
- Tags cannot be duplicates.
- Deploy only to 11.2 Log Decoders: The Deploy operation only deploys log parsers to version 11.2 or later Log Decoders.
- Cannot Remove Deployed Parsers: Once deployed, you cannot delete a log parser using the UI.
- See log for errors: Refer to content-server logs for more details on deploy failure details and log decoder names.