How to deploy the event source package created by ESI?
You need to create the parser the usual way in ESI. Then you need to take the event source package xml and ini files and put them in a new folder that you create in the parsers folder (/etc/netwitness/ng/envision/etc/devices) on log decoder.
There are limitations:
1) the parser/folder name should be in lowercase and must not contain any special characters
2) the parser content should be 2.0
For ODBC/file event sources you need to setup additional service configs.
I wonder why there is no documentation for this.
can you find any document from internal?
I don't have any, I don't work for EMC/RSA
Just sharing my experience on SA/Envision. I gave quite a full overview of the process - just restart the decoder services after you upload the files. Also there's a document about ESI on SCOL.
Only has document on ESI, not on how to integrate with SA.
Also for SA, only documents is docs.netwitness.com which is very limited.
Yes, I know - can't do nothing about that.
So you should make event source package using ESU and docs from SCOL. After that you can deploy the xml and ini (located in your package e.g. yourdevice\update_content\etc\devices\yourdevice) file on log decoder:
1) Copy ini and xml from event source package to newly created folder in /etc/netwitness/ng/envision/etc/devices on SA log decoder
2) Make sure you used content 2.0 and have your new file's names in lowercase
3) Restart decoder services
Yes,i got it.
I manually modified the xml file, now it shows as parser.
How can ESI do below step?
You should apply ESU (event source update) - client side to get the 2.0 tables in ESI. The ESU docs have the list of 2.0 tables.
You will get SA meta only for 2.0 tables.
Thanks a lot. Downloading now. Will try out.
The result xml(testing.xml) is not v20, i checked /etc/netwitness/ng/envision/etc/devices/aix, the xml file name is v20_pixmsg.xml, how to make it v20?
The xml filename doesn't have to do anything with it's content. It's just how the guy who wrote the parser decided to name it.
To make content 2.0 parser you should use content 2.0 table (the full list of them is in ESU docs, for example unix or access tables). You can check that you've used the right table - you will have "device="2.0"" field in the ESI generated parser xml header.
thanks. got it.
For the <version xml=1> , does it mater?
#Event source XML file version:2.0
#Log collection method:
#Date&Time:Thu Oct 24 22:39:13 SGT 2013-->
The device parameter must be 2.0. If the the xml file doesn't have device="2.0" it means that the parser is not 2.0 compatible.
thanks guys. will test out.
You do not actually have to restart the service on the Log Decoder. You can do the following to load the new parser.
1. Login to the NetWitness web interface.
2. Administration > Services > Log Decoder > View > Explore > Decoder (expand) > Parsers (right click) > Properties
3. On the right side of the screen in the bottom panel in the drop down box choose Reload > Send
4. Check the logs to see if the parser loaded correctly.[root@logdecoder1 ~]# cat /var/log/messages | grep loaded
Mar 30 21:15:37 logdecoder1 NwLogDecoder: [LogParse] [info] File paloaltonetworks content loaded
Retrieving data ...