Information Needed for Log Parsing Issues in NetWitness Platform

Issue

Please provide the following information when reporting log parsing issues in RSA NetWitness:

1. Event Source Name (the name of the device that is sending the logs):
   • Event Source information can be found here: https://community.netwitness.com/t5/netwitness-platform-integrations/tkb-p/netwitness-integrations
2. Event Source Version (the version of the device that is sending the logs):
3. Collection Method:
4. Version of NetWitness you are running:
5. Parser Name:
6. Parser Version: You can confirm the parser version by opening the .xml log parser file on the Log Decoder(s) in question and checking the version information at the top of the file:
   # cd /etc/netwitness/ng/envision/etc/devices/<parser name>
   # cat <parser name>.xml
   
   This will display the following information.
   xml=
   checksum=
   revision=
   device=
   
   1. Verify if the parser in question is enabled in your environment: 
      1. Navigate to the RSA NetWitness UI > Admin/Administration > Services > Log Decoder in question > View > Config > "Service Parsers Configuration"
      2. Make sure that there is a checkmark under "Config Value" next to the parser in question.
      3. If there is not, check the box, press "Apply," and restart the Log Decoder service on which you made the change.
   2. Verify if you are running the latest version of the parser in question: navigate to Live to find the parser in question, using Steps 1-2 in either of the links below:
      • Deploy Log Parsers in NetWitness 11.x
      • https://community.netwitness.com/t5/netwitness-platform-online/policy-based-centralized-content-management/ta-p/685739
   3. In either case, once you have found the parser, double click the parser search result. In the description field, it will display a "Parser Version" and an "Event Source Update" version. Make sure that the following fields match:
      • The value of the "xml" field in the parser file and the "Parser Version" value in RSA Live
      • The value of the "revision" field in the parser file and the "Event Source Update" value in RSA Live
   4. If the values between the parser xml file and the parser information in RSA Live do not match, you will need to deploy the latest version of the parser in question: How to update a parser using RSA Live in RSA NetWitnes
      • Note: Perform a parser reload for every Log Decoder on which a parser was deployed for the changes to take effect. The parser reload instructions can be found here: How to reload parsers on a Decoder or Log Decoder via the RSA Security Analytics UI
   5. If the issue still persists after deploying the latest version of the parser, please provide all of the requested information in this KB to Support.
7. A list of all parsers that are enabled on the Log Decoder(s) in question: 
   • Navigate to the "Service Parsers Configuration": in the UI as shown above and make a list of every parser that has a check mark next to it under "Config Value."
8. Screenshots from the "Event Reconstruction" view of the logs in question displaying the issue
9. An export of the logs in question - for more information on how to export events, review the following: Export Events in the Events View
   • The logs can be uploaded directly into the case.

Tasks

Please provide the following information when reporting log parsing issues in RSA NetWitness:

1. Event Source Name (the name of the device that is sending the logs):
   • Event Source information can be found here: RSA NetWitness® Platform Supported Event Sources
2. Event Source Version (the version of the device that is sending the logs):
3. Collection Method:
4. Version of RSA NetWitness you are running:
5. Parser Name:
6. Parser Version: You can confirm the parser version by opening the .xml log parser file on the Log Decoder(s) in question and checking the version information at the top of the file:
   # cd /etc/netwitness/ng/envision/etc/devices/<parser name>
   # cat <parser name>.xml
   This will display the following information.
   xml=
   checksum=
   revision=
   device=
   1. Verify if the parser in question is enabled in your environment: 
      1. Navigate to the RSA NetWitness UI > Admin/Administration > Services > Log Decoder in question > View > Config > "Service Parsers Configuration"
      2. Make sure that there is a checkmark under "Config Value" next to the parser in question.
      3. If there is not, check the box, press "Apply," and restart the Log Decoder service on which you made the change.
   2. Verify if you are running the latest version of the parser in question: navigate to RSA Live to find the parser in question, using Steps 1-2 in either of the links below:
      • Deploy Log Parsers in Security Analytics 10.x
      • Deploy Log Parsers in NetWitness 11.x
   3. In either case, once you have found the parser, double click the parser search result. In the description field, it will display a "Parser Version" and an "Event Source Update" version. Make sure that the following fields match:
      • The value of the "xml" field in the parser file and the "Parser Version" value in RSA Live
      • The value of the "revision" field in the parser file and the "Event Source Update" value in RSA Live
   4. If the values between the parser xml file and the parser information in RSA Live do not match, you will need to deploy the latest version of the parser in question: How to update a parser using RSA Live in RSA NetWitness
      • Note: Perform a parser reload for every Log Decoder on which a parser was deployed for the changes to take effect. The parser reload instructions can be found here: How to reload parsers on a Decoder or Log Decoder via the RSA Security Analytics UI
   5. f the issue still persists after deploying the latest version of the parser, please provide all of the requested information in this KB to Support.
7. A list of all parsers that are enabled on the Log Decoder(s) in question: 
   • Navigate to the "Service Parsers Configuration": in the UI as shown above and make a list of every parser that has a check mark next to it under "Config Value."
8. Screenshots from the "Event Reconstruction" view of the logs in question displaying the issue
9. An export of the logs in question - for more information on how to export events, review the following: Investigate: Export Events in the Events View
   • The logs can be uploaded directly into the case, the RSA SFTP site, or you can request a temporary FTP link from Support. 

Notes

If this does not solve your issue, please  open a case with RSA Technical Support and reference this article so that we may better assist you.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: NetWitness UI, Log Decoder, Log Collector, RSA Live
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS 7 / Alma

Summary

Please provide the following information when reporting log parsing issues in NetWitness Platform.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue