AnsweredAssumed Answered

Event logs from Linux servers are mapping to multiple parsers

Question asked by Visham Rawat on Aug 6, 2018
Latest reply on Aug 8, 2018 by Eric Partington

Linux server event logs are mapping to crossbeamc parser, besides rhlinux as well.


Question - does a distinct event log [1 distinct event message] map to multiple parsers, or is it mapped to the 1st parser in the list of activated parsers? how does this work?

For eg., if the header of an event log is common to 2 or more parsers, will that particular event log map to both of them, or only 1 of them - based on some criterion?


Also, if I were to force-map the event source to rhlinux, how would I be guaranteed that the event logs being mapped to crossbeamc will start falling under rhlinux? what if they then start reporting as unknown?


If anybody could provide some clarity on how parsing works on a per-message or per-eventlog basis, and also what exactly happens when multiple parsers are matched. Do they match for the same eventlog message, or does a particular parser take precedence? and if such is the case [precedence], then how are we to know that a particular parser mapping is the result of choice between multiple parsers? what if we turn off the one wrongly matching [eg. crossbeamc], and those event log types [matching crossbeamc] then don't match where expected [eg. rhlinux]?


A little clarity on this would be very helpful.


RSA Security Analytics 10.6.4 RSA NetWitness Platform