Automatic parsers download
I am a bit confused regarding automatic parsers download from Live and their deployment. i am checking the configuration that the engineer performed when SA was installed and i see only the following entry under Log Decoder --> Config --> parsers tab:
- Name: NwFlex.parser
- Live: N/A
- Date Installed: emtpy
My questions are:
- Was the NwFlex.parser uploaded manually and not through Live (since Live field shows N/A)
- I am checking LIVE resources and i see that the NwFlex.parser was July 29, 2015. What is the version of the currently installed file?
- How to configure the system to check for the latest NwFlex.parser file? i have my system configured to check live every hour, but how to download updated parsers? Please note that my feeds are being downloaded automatically.
- If parsers can be downloaded automatically, do i need to manually deploy them to my devices, or can this be an automated process?
Appreciate your help guys.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
The file 'NwFlex.parser' comes with Decoder OOTB. It isn't a Live parser. It contains a handful of very simple flex parsers in source form that were intended as a demonstration of how to write your own.
On a Log Decoder it has no purpose at all, since it contains packet parsers. Just delete it.
Even on a packet Decoder, with the move from flex to lua it has no purpose for a system at 10.2+. For each parser in the file there is a better lua equivalent in Live. Just delete it.
Thank you motley.
I currently have a log decoder only (packet not yet installed). What is the best practice for deploying and managing parsers. is there any document that explains all?