Hello, is there a way to edit an already deployed parser (as in RSA envision) to match content from an event?
Hello, is there a way to edit an already deployed parser (as in RSA envision) to match content from an event?
if we migrate envision over to SA, can we re-use the parsers which already created in envision? Just copy and paste?
Yes and no, the only thing I know you need to change is the filename. In enVision it would be ciscoasamsg.xml in SA it needs to be v20_ciscoasamsg.xml.
I actually had to take the entire linux one from enVision and use it in SA because of parsing issues.
thanks for the information. wondering why SA didn't contain those parsers by default.
Hi,
No the name doesn't matter (except it should be in lowercase but maybe rsa fixed that). The parser itself should use content 2.0 tables, or it won't be even displayed in sa interface.
Now regarding customized built-in parsers - I just don't update them, customize them further if any problems occur
They will override, not might.
Personally what I do is not keep the new parsers on subs and then download them to my desktop first and compare then just keep my custom parser updated. This works if you don't have a lot of custom stuff.
Log parsers are located on the log decoder in the following location: /etc/netwitness/ng/envision/etc/devices/
Each device has its own folder with an XML file - you can edit the XML file.
Just be careful when deploying updates from LIVE as they may overwrite your modified XML file.