Help Us Help You: When Reporting Log Parser Problems
If you find a problem with a parser not working properly, especially after you deploy a new parser update, please provide the following information when opening your case.
Name of the parser
Version of the parser - First three lines from the parser.xml file shows this information (See example below.)
Date parser was deployed
If at all possible, export some sample logs showing the problem and attach them to your case when you create it. Seeing the actual logs will greatly aid the content team.
Please also include any relevant snippets from /var/log/messages that indicate a problem with the parser in question.
And remember to redact any proprietary information according to your security policies.
Sample snort.envision XML File (v20_snortmsg.xml)
<?xml version="1.0" encoding="ISO-8859-1"?>
<VERSION device="2.0" enVision="21050025" revision="105" checksum="15d16229b4365ddb6d1b19447b2f7986" xml="269"/>
In the example above, "revision" is the ESU number. and "xml" is the parser version.
This information is also found in the description field on the detailed view of a parser in the Security Analytics WebUI.