Jonathan Saxon

Help Us Help You:  When Reporting Log Parser Problems

Discussion created by Jonathan Saxon Employee on Jun 29, 2017

Help Us Help You:  When Reporting Log Parser Problems

 

If you find a problem with a parser not working properly, especially after you deploy a new parser update, please provide the following information when opening your case.

 

Parser Information

Name of the parser

Version of the parser - First three lines from the parser.xml file shows this information (See example below.)

Date parser was deployed

 

If at all possible, export some sample logs showing the problem and attach them to your case when you create it.  Seeing the actual logs will greatly aid the content team. 

 

Please also include any relevant snippets from /var/log/messages that indicate a problem with the parser in question.  

 

And remember to redact any proprietary information according to your security policies.

 

Sample snort.envision XML File (v20_snortmsg.xml)

<?xml version="1.0" encoding="ISO-8859-1"?>

-<DEVICEMESSAGES>

<VERSION device="2.0" enVision="21050025" revision="105" checksum="15d16229b4365ddb6d1b19447b2f7986" xml="269"/>

 

In the example above, "revision" is the ESU number. and "xml" is the parser version.

 

This information is also found in the description field on the detailed view of a parser in the Security Analytics WebUI.

 

Snort Parser Details

Outcomes