This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-11-08 11:37 AM

November Update - "parse" attribute changes

Looking at several of the devices in the November content update, a lot of the changes on the devices we use/care about seem to be flipping the "parse" attribute in the UDS from 0 to 1. Per my weak understanding of UDS, this means that these messages definitions have previously existed, but were not being parsed. Can anyone confirm and, better yet, explain why this happens in the stock parsers?

 

An example of this is found in the Cisco PIX update <http://edelivery.rsasecurity.com/patches/rsa_env/content_updates/docs/Event%20Source%20Update/conten...>.

 

Thanks!

 

David

0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2010-11-10 09:06 AM

The "parse" attribute defines whether a message is made available to the analytic tools within enVision such as querying, reporting, and alerting. 

 

In the past the logic behind this was, out of the box, to turn parsing off for messages that were determined to be just noise and had no security relevance. There are remnants of this in devices that have been supported for a very long time such as ciscopix.

 

The current best practice is to set ALL messages out of the box to parse. All customer environments, requirements, and usage of envision are different. It is best to leave the tuning of message parsing up to the user. 

 

This is configurable by the user through the GUI at - Overview >> System Configuration >> Messages >> Manage Messages To Parse>> <Device Display Name>.

 

If a message is set to NOT parse by the user the ESU respects it and migrates it properly.

 

All devices that are converted to content 2.0 are held to this best practice and during the transition all messages will be set to parse (unless set to not parse by user). The same holds true for all new devices.

 

Thanks.

Jim

 

 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.