Log Parser Customize:Troubleshooting/Limitations

Document created by RSA Information Design and Development on Jul 25, 2018Last modified by RSA Information Design and Development on Jul 18, 2019
Version 6Show Document
  • View in full screen mode
 

This section describes some common issues that can occur when you customize log parsers and log parser rules.

Troubleshooting

             

You do not see any log parsing against a newly created parser.

You may have forgotten to map the new parser. To map a parser, go to Admin > Event Sources > Discovery tab. See the "Discovery Tab" topic in the Event Source Management Guide for details.

Deployment fails

If you click Deploy to deploy a new or updated log parser, and it fails, you should check the log for your reference log decoder. You access this log in the following location on the NetWitness Server:

/var/log/netwitness/content-server/content-server.log

NwLogPlayer

NwLogPlayer is a troubleshooting tool that simulates syslog traffic. NwLogPlayer.exe is a command line utility located on the Log Decoder host in /usr/bin.

At the command line, type nwlogplayer.exe -h to list the available options, as reproduced here:

                                                                                   
OptionDescription
--priority arg set log priority level
-h [ --help ]  show this message
-f [ --file ] arg (=stdin) input message; defaults to stdin
-d [dir ] arg input directory
-s [ --server ] arg (=localhost) remote server; defaults to localhost
-p [ --port ] arg (=514) remote port; defaults to 514
-r [ --raw ] arg (=0) Determines raw mode.
  • 0 = add priority mark (default)
  • 1= File contents will be copied line by line to the server.
  • 3 = auto detect
  • 4 = enVision stream
  • 5 = binary object
-m [ --memory ] arg Speed test mode. Read up to 1 Megabyte of messages from the file content and replays.
--rate arg Number of events per second. This argument has no effect if rate > eps that the program can achieve in continuous mode.
--maxcnt arg maximum number of messages to be sent
-c [ --multiconn ] multiple connection
-t [ --time ] arg simulate time stamp time; format is yyyy-m-d-hh:mm:ss
-v [ --verbose ]  If true, output is verbose 
--ip arg simulate an IP tag
--ssl use SSL to connect
--certdir arg OpenSSL certificate authority directory
--clientcert arg use this PEM-encoded SSL client certificate 
--udp send in UDP

Limitations

Please note the following limitations when using the Log Parser Rules tab:

  • Log Decoder must be at version 11.2: For the functionality in the Log Parser Rules tab to work, your installation must have at least one Log Decoder running NetWitness version 11.2.
  • Mixed Mode: If any Log Decoders are at version 11.2, and the NetWitness Server is at version 11.2, the Log Decoders will have parseall rules enabled by default, and thus will begin to parse logs accordingly. However, the 11.2 NetWitness Server does not support Log Decoders with versions less than 11.2, so the Log Parser Rules tab in the UI stays blank.
  • Meta key fields list refresh: If any new meta keys are added to the Log Decoder, they do not appear in the list of Meta in the Log Parser Rules tab immediately. They appear automatically after 24 hours, or you can restart the content server service to view them.
  • Field Restrictions: Note the following field restrictions:

    • Rule name must be 64 characters or fewer.
    • Parser Name must be between 3 and 30 alphanumeric characters (including underscores), and must not match the name of any existing log parsers.
    • Parser Display Name must be 64 characters or fewer, and cannot match any other parser display name.
    • Regex Expression must be 1-255 characters, and a valid regex (closed capture list allowed).
    • Tags cannot be duplicates.
  • Deploy only to 11.2 Log Decoders: The Deploy operation only deploys log parsers to version 11.2 Log Decoders.
  • Cannot Remove Deployed Parsers: Once deployed, you cannot delete a log parser using the UI.
  • See log for errors: Refer to content-server logs for more details on deploy failure details and log decoder names.

You are here
Table of Contents > Troubleshooting and Limitations

Attachments

    Outcomes