November Update - "parse" attribute changes
Looking at several of the devices in the November content update, a lot of the changes on the devices we use/care about seem to be flipping the "parse" attribute in the UDS from 0 to 1. Per my weak understanding of UDS, this means that these messages definitions have previously existed, but were not being parsed. Can anyone confirm and, better yet, explain why this happens in the stock parsers?
An example of this is found in the Cisco PIX update <http://edelivery.rsasecurity.com/patches/rsa_env/content_updates/docs/Event%20Source%20Update/conten...>.
The "parse" attribute defines whether a message is made available to the analytic tools within enVision such as querying, reporting, and alerting.
In the past the logic behind this was, out of the box, to turn parsing off for messages that were determined to be just noise and had no security relevance. There are remnants of this in devices that have been supported for a very long time such as ciscopix.
The current best practice is to set ALL messages out of the box to parse. All customer environments, requirements, and usage of envision are different. It is best to leave the tuning of message parsing up to the user.
This is configurable by the user through the GUI at - Overview >> System Configuration >> Messages >> Manage Messages To Parse>> <Device Display Name>.
If a message is set to NOT parse by the user the ESU respects it and migrates it properly.
All devices that are converted to content 2.0 are held to this best practice and during the transition all messages will be set to parse (unless set to not parse by user). The same holds true for all new devices.