Custom logs parsing on ESI, but not on SA
I've been able to successfully create a parser on the ESI toolkit and get the logs parsed for a custom device, but for some reason the logs go undetected on SA.
Under what circumstances can this happen? I've made sure that each column has been parsed successfully and under the appropriate tag, yet this problem comes up.
Any help would be appreciated.
- Community Thread
- custom log parser
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
- rsa sa
I have the same problem, my parser works fine on ESI but not work on SA (after i deployed it).
maybe this tips help you:
1. Check that all envision's fields that you use have a meta on SA (tablemaps).
2. Check the DeviceID, it must be unique. you can see it on ini file.
Hope that helps you.
I've created my new custom metakeys within the table-map-custom.xml file. I've mapped those values to my ESI table-map.xml file. The meta is available in the ESI toolkit.
I've managed to successfully parse the logs of 4 out of 6 custom log files (devices).
For the two devices I haven't managed to parse, just a little bit of info, don't know if it's relevant, these are exports of tables from a SQL database, converted to text and then log format.
The four that were successfully parsed are the usual .text or .log formats.
Also, for each of these devices, I've found four fields within the .ini file. For some reason, DeviceType=7104 is common to all, something to do with a common parsing platform?