.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
After installing 10.5.X, and attempting to load the previously available parsers, the following screen is displayed and parsers that were previously available fail to load:
NOTE: During this time, a tail of /var/log/messages on the decoder does not display an error. However, a tail of /var/lib/netwitness/uax/logs/sa.log on the SA Server displays an exception snip header similar to the following:
ERROR org.atmosphere.handler.ReflectorServletProcessor - onRequest()
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is com.rsa.smc.sa.common.exception.MessagingException: Failed to process message schema for /decoder/parsers com.rsa.netwitness.carlos.transport.TransportException: ERROR: Unexpected character found "d" after attribute name "network". Looking for equal sign "=".
Cause
Additional error checking was included in the 10.5 branch that validates the integrity of all feeds and parsers.If an old parser or deprecated feed exists that contains errors, it was not previously caught. After the upgrade to 10.5, the parsers will fail to load if an error condition exists in one of the feeds or parsers.
Resolution
There is no exact way to diagnose which feed or parser is causing the error, as the parser or feed name is not included in the exception.Start by removing all deprecated/flex parsers/feeds.
In the instance described here, the error was caused by a deprecated custom feed that was not removed prior to the upgrade. The custom feed was rewritten and redeployed with a new name, but the deprecated feed was never removed.
Once the deprecated feed was removed, the parsers loaded as expected.
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.X
Platform: CentOS
O/S Version: 6
Product Name: SA-S4H-P-DEC
Product Description: Series4S HeadUnit Pkt Decoder
Approval Reviewer Queue
Technical approval queue