Skip to content
  • There are no suggestions because the search field is empty.

How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher)

Issue

How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher).


Resolution

This is done via the "Explore" view on the Log Decoder. Below are the steps to set this up.

 

1.       Select "Explore" view for Log Decoder

2.       Navigate to /decoder/parsers

3.       Right-click "parsers" and select "Properties"

4.       From the drop-down select "ipdevice"

This command takes the following parameters

Map Ip to Device type in log parsing. Take effect after parser reload
security.roles: parsers.manage
parameters:
   op - The operation to performed(edit|describe).edit is editing the entries. describe is returning all exist ip2device entries.
   entries - The Ip entries. StringParam in format of '+/-ip=device'. + means adding or editing a map entry, - means delete a map entry
   reload - Flag to reload parser after this command

5.       In the parameters field enter "op=edit entries=+192.168.183.123=aix reload=true"

How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher)

6.       Then type the following to confirm the entry "op=describe"

How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher)

7.       Now that device will be forced to use the "aix" parser

Parser names can be found by going to LogDecoder -> Config and the Device Parsers Configuration

How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher) 

All of this device to parser mapping is held in the following configuration file:

          /etc/netwitness/ng/envision/etc/devicetbl.xml

       

               

       

 

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.


Notes

Further Sample Entries and Explanations


1. op=edit entries="+101.5.245.9=ciscoasa +101.5.245.45=vmware_vcloud" Click Send.
This creates two different entries with different IPV4 values and device types.

2. op=edit entries="-101.5.245.9=ciscoasa" Click Send.
This removes an entry for a single IPV4 value and device type

3. op=edit entries="+ 2001:0db8:85a3:0000:0000:8a2e:0370:7353=vmware_esx_esxi" Click Send.
This creates a single entry for an IPV6 value and device type.

4. op=edit entries="+19.168.0.2,nwappliance20819=rhlinux +19.168.0.2,nwappliance3014=apache" Click Send.
This creates a entry for a single IPV4 value that has two device types. Each device type is sent to a different collector.

5. op=edit entries="+RS214Server-2=rhlinux,apache" reload=true Click Send.
This creates an entry for a single hostname with two different device types. This is the last example, so the parsers were reloaded.


Internal Comments

David Waugh -- 8/8/2015
There were some formatting errors in the conversion. Changed some ? to "

Jeff Shurtliff -- 8/8/2014
Technically reviewed the article and changed its status to Copy Edited. Modified the Goal and Fact statements to adhere to Primus best practices.

Jeff Shurtliff -- 8/26/2014
Corrected the formatting in the newly added Note statement to abide by Primus best practices.

Mike Johnson -- 3/5/2015
Fixed some formatting in the Resolution section.  Changed some ? to "  Last update may not have been submitted for approval

Product Details

RSA Security Analytics
RSA Security Analytics 10.3.4 and above
RSA Security Analytics Log Decoder

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue