RSA SA - Nice Custom Parser Challenge
As per the requirement for one of our customer, I have created an customised parser for NICE which is an Windows based application server. So now the problem is the parser is not being recognized in the RSA Security Analytics Log Decoder appliance.
Kindly find the raw logs and the parser files are being attached.
Can someone have any idea how this parser can help to parse the nice logs in RSA SA.
Thanks in advance to all.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
The parser needs to be changed to be a "content 2.0" parser.
If it doesn't use any content 1 tables, it is a simple modification of the xml file
In the "VERSION" tag, just change device="" to device="2.0" .
To create a package that can be uploaded through the SA GUI:
- Create folder structure "etc\devices\nice"
- Copy the nice.ini and the modified nicemsg.xml file to the nice folder
- Create a zip archive from the etc folder level (Should now contain the two files and the correct path to them)
- Rename the zip archive to nice.envision (Make sure that the "extension" is now just "envision"!)
(Trying to upload the package I created here, but potentially it is not possible in a reply)
To deploy the new log parser
- Navigate to the device screen on the GUI
- Select Log decoder
- Choose Parsers Tab
- Click upload
- Select the nice.envision file
- Click on upload
- Restart Log decoder service
Hope this helps