After upgrading the RSA Security Analytics environment to 10.6.4.0, it is noticed that logs are not parsed by the custom parsers.
In Investigation, sessions appear with device.type having the default parser name instead of the custom one. For example, device.type appear as mcafeewg when the custom_mcafeewg parser is enabled.
Log Decoder's Config page shows the custom parsers are enabled while the defaults are disabled or completely removed. Checking /etc/netwitness/ng/envision/etc/devices folder also confirms that the custom parsers are in the correct folders.
In 10.6.4, if logs are collected via typespec files, the parser name is embedded in the typespec file which is found under /etc/netwitness/ng/logcollection/content/collection/file. The example below is from the /etc/netwitness/ng/logcollection/content/collection/file/webgateway.xml file.
This is where the device.type stems from not from the ini file under /etc/netwitness/ng/envision/etc/devices/<parser>.
This also result the logs to be parsed by the device parser with the matching name (e.g. mcafeewg). Hence, the unexpected results are returned.
In order to resolve the issue, modify the parser name surrounded by <parser> and </parser> in /etc/netwitness/ng/logcollection/content/collection/file/<parser_name>.xml. For example, for a custom device parser named custom_mcafeewg to parse McAfee Web Gateway logs:
Restart the Log Collector and Log Decoder services after making the changes.