000036562 - How to enable a log decoder in RSA NetWitness Platform to process raw syslog data that does not contain a valid priority field

Document created by RSA Customer Support Employee on Sep 26, 2018Last modified by RSA Customer Support Employee on Feb 11, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036562
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 10.6.5, 11.X
IssueIn versions 10.6.5 + and 11.1+ we now have the option to process raw syslog data that does not contain a valid priority (<PRI>) field.  In previous versions, this syslog would be dropped by the decoder and not processed at all.  
Resolution
  1. Go to the log decoder>System page and Stop Capture.
  2. Then go to Logdecoder->explore page.
  3. Open log decoder config.
  4. Find capture.device.params.
  5. Add in -> requirePri=false
  6. Restart the log decoder service using below commands.

In 11.X, 
systemctl stop nwlogdecoder.service
systemctl start nwlogdecoder.service


In 10.6.X,
stop nwlogdecoder
start nwlogdecoder

Attachments

    Outcomes