For those of you that have a fairly large infrastructure, you may know that there is a gap in the SIEM to know what is deployed in terms of log parsers (versions) amongst your log decoders. These scripts will help you identify what is deployed in terms of versions against your infrastructure to ensure consistent parsing is taking place.
RSA uses a version (major) in terms of tracking what iteration of parser they are working on xml=XXX, we use a major.minor nomenclature that I would recommend customers leveraging to track their custom parsers xml=XXX.YYY
custom version of parser here :
To Deploy your custom parsers, Id recommend leveraging the attached script called : parserDeploy.sh. This script takes a couple arguments to properly run, specifically DirectoryName ParserName, shown here :
# sh parserDeploy.sh winevent_nic /tmp/v20_winevent_nicmsg.xml
To identify your deployment, use the attached script called parserQuery.sh.
This script iterates through a list of newline delimited log decoders (log parser directory ), (ips/hostnames) and uses Stream editor (SED) to strip out the parser dirname, parsername, and xml version. This will dump the output into a folder that contains separate files for each log decoder, as shown here :
To process deployed versions, run your output from the parserQuery.sh against the attached powershell script : analyze_collectors_and_parsers.ps1
This script takes the output from the parserQuery.sh (each file for each log decoder that contains parsername,parserdirname,parserversion), and aggregates them into a nice csv/html file to show what versions are deployed.
HTML Version output (CSV available also)
Using these scripts/methods, you will have better visibility into your deployment as what parsers are deployed where, and to ensure that your deployment has consistent log parsing.
