Skip to content
  • There are no suggestions because the search field is empty.

Checkpoint CEF logs are not parsing due to automap maps device.ip to different parser in RSA NetWitness Platform

Issue

In The INVESTIGATE->Events page applying query device.type=checkpointfw1 && device.class !exists shows unparsed CEF logs as below.

word

Go to LogDecoder->Config->Parser Mappings shows checkpoint device.ip mapped to checkpointfw1.
Deleting this entry makes the parsing issue solved. But, parser mapping reappears back after some time, and logs are parsed again.

Cause

This is due to the automap feature maps the checkpoint device.ip with checkpointfw1 parser. Generally, CEF logs are parsed with cef parser.


Resolution

Follow below steps to disable automap permanently.

Note: These steps permanently disable the future ESM Discovery to map device.ip with device.type automatically in ADMIN->Event Sources.

  1. Log in to NwServer(Node0) putty to add below lines to /usr/lib/systemd/system/rsa-sms.service file. 
    ExecStartPost=/usr/bin/sleep 30
    ExecStartPost=/opt/rsa/sms/bin/automap -off

    sample output:
    # cat /usr/lib/systemd/system/rsa-sms.service
    [Unit]
    Description=RSA NetWitness SMS :: Server After=network.target rabbitmq-server.service mongod.service

    [Service]
    ExecStart=/opt/rsa/sms/bin/sms start
    ExecStartPost=/usr/bin/sleep 30
    ExecStartPost=/opt/rsa/sms/bin/automap -off Type=forking

    [Install]
    WantedBy=multi-user.target
  2. Run systemctl daemon-reload command.
  3. Run /opt/rsa/sms/bin/automap –off to disable automap.
  4. Verify automap status using below command.
    /opt/rsa/sms/bin/automap –?
    [main] INFO com.rsa.smc.esm.core.jmx.tools.JmxAutomaticMapping - automatic mapping is disabled
  5. Locate LogDecoder collecting Checkpoint CEF logs and go to LogDecoder->Config->Parser Mappings page and Delete existing CheckpointDeviceip=checkpointfw1 entry.
  6. Verify the latest Checkpoint logs parsing good without device.class !exists

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This document outlines the procedure to fix parsing issues by disabling automap feature.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue