There have been many improvements made over the past several releases to the RSA NetWitness product on the log management side of the house to help reduce the amount of unparsed or misparsed devices. There are still instances where manual intervention is necessary and a report such as the one provided in this blog could prove valuable for you.
This report provides visibility into 4 types of situations:
Device.IP with more than 1 device.type
Devices that have multiple parsers acting on them over this time period, sorted most parsers per IP to least
Unknown Devices
Unknown devices do not have a parser detected for them or no parser is installed/enabled for it.
Device.types with word meta
Device types with word meta indicate that a parser has matched a header for that device but no payload (message body) has matched a parser entry.
Device.type with parseerror
Devices that are parsing meta for most fields but have parseerror meta for particular metakey data. This can indicate the format of the data into the key does not match the format of the key (invalid MAC address into eth.src or eth.dst - MAC formatted keys), text into IP key
Some of these categories are legitimate but checking this report once a week should allow you to keep an eye on the logging function of your NetWitness system and make sure that it is performing at its best.
The code for the Report is kept here (in clear text format so you can look at the rule content without needing to import it into NetWitness):
GitHub - epartington/rsa_nw_re_logparser_health
Here's a sample report output:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.