We have uploaded a custom parser for ingesting mainframe event logs. I am new to RSA and need to verify the parser is working correctly. What would be the best way to accomplish this?
If it is parsing correctly, you will see it showing up under investigation on the log collector. It will show up under device type, and if you aren't seeing the parsed event, search source IP for that address in Investigation and see if you are getting logs coming in that are not being parsed. If they are coming in and not being parsed, they will show up as unknown. You then know your parser is A. not loaded or B. is loaded and not parsing properly. Hope this helps.
On the log decoder you should be able to upload a log file. I would then search by device ip and see what you get.
And just to verify you have both a header and message IDs for the new parsing file?
When I do that Upload Log File is grayed out.
You have to stop collection to upload a log file. Unless you are already sending the logs to SA.
Retrieving data ...