Skip to content
  • There are no suggestions because the search field is empty.

Log Parser Rule is not Parsing the message from logs in RSA NetWitness Platform 11.3.X

Issue

Log parser rules created as per Documentation. However, the messages required parsing is not working.

Cause

There are two use cases for dynamic parsing with the current support:
  1. Parse out all the important information from the log that is not parsing through any xml parser:
    In that case, log parser rules can be created for new event sources which we don’t support as of now. Make sure to map device ip to the parser as there will be no headers(for discovery) just log parser rules in the parser(token file).
     
  2. Parse out information from the log that is parsing against the header but not matching any message id(extended parser capabilities):
    In this case, log parser rules can be created for an existing event source but only to parse out information from logs, which are parsing against one of the headers in the parser but none of the message ids.

    The third category where the log parses against a header as well as message id in the log parser, so we don’t support rules in such use case. 
     

Resolution

This may be fixed in 11.4 version as per current status of Internal JIRA ASOC-79906


Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.1.0
Platform: CentOS
O/S Version: 7

Summary

This document outlines the procedure of working way of Log Parser tool.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue