Skip to content
  • There are no suggestions because the search field is empty.

How to enable a log decoder in RSA NetWitness Platform to process raw syslog data that does not contain a valid priority field

Issue

In versions 10.6.5 + and 11.1+ we now have the option to process raw syslog data that does not contain a valid priority (<PRI>) field.  In previous versions, this syslog would be dropped by the decoder and not processed at all.


Resolution

  1. Go to the log decoder>System page and Stop Capture.
  2. Then go to Logdecoder->explore page.
  3. Open log decoder config.
  4. Find capture.device.params.
  5. Add in -> requirePri=false
  6. Restart the log decoder service using below commands.

In 11.X, 
systemctl stop nwlogdecoder.service
systemctl start nwlogdecoder.service

In 10.6.X,
stop nwlogdecoder
start nwlogdecoder

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 10.6.5, 11.X

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue