This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

A place to upload parsed events?

Anonymous
Not applicable

‎2013-12-13 08:25 AM

This is targeted more towards anyone working at RSA/EMC. 

 

For some reason in my free time I like to parse log events that are not currently being parsed by RSA parsers, I am weird but at work I do this. Some events are just one or two here and there but I just realized today that I have 21 events from junipersslvpn that were not being parsed but I parsed.  Some I would say are more important for anyone to have such as, user x logged in using policy x from x ip. 

 

So the short of it, is there anywhere I can submit these for additions to the parsing files, figured it would help out everyone if this was possible. 

 

Thanks!

7 REPLIES 7

JohnDoe1
Beginner
Beginner

‎2016-03-27 05:34 AM

A place like github to maintain parser would be great!

0 Likes

jeffshurtliff
Administrator Administrator
Administrator

‎2016-03-28 09:22 AM

Hi Sean Koniarz​ and John Doe​,

 

I will bring up this suggestion to our Product Management team, but I would recommend in the meantime posting your parsers to the Security Analytics" data-type="space​ space within RSA Link.  This will allow others to comment on them and quickly find them, and will allow you (the creator of the parsers) to easily maintain them when any updated versions are created.

 

Some examples of other parsers posted to the community are listed below.

 

To upload a parser, you can either click on Actions > Files (as shown below) or you can create a document and attach the parser to it by clicking Actions > Document from the Security Analytics" data-type="space​ overview page.

create-files.png

 

Thanks.

 

Jeff Shurtliff,CISSP

Sr Social Engagement Manager

RSA, The Security Division of EMC

AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to jeffshurtliff

‎2016-03-30 03:00 AM

Hello Jeff,

 

I guess repository is will more suitable for this task. In RSA you use CMS and CMS for custom parsers is more better than community. And please improve Kaspersky parser. I have a lot of unknown events from Kaspersky version 10. For russian customers is important event source.

0 Likes

Anonymous
Not applicable

‎2016-03-30 05:05 PM

Hi Sean,

 

Thanks a lot!

 

The official way would be to open a case with Support and ask them to create a content ticket.  We'll need sample logs to go along with the parser.

 

Thanks,

Guy

 

Guy Williams | Principal Product Manager, RSA Security Analytics

RSA, The Security Division of EMC

Anonymous
Not applicable
In response to AlexeyFedorov

‎2016-03-30 05:06 PM

Hi Alex,

 

If you export the logs in question you can open a Support ticket and ask to have support for them added to the parser.

 

Thanks,

Guy

 

Guy Williams | Principal Product Manager, RSA Security Analytics

RSA, The Security Division of EMC

AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to Anonymous

‎2016-03-31 02:57 AM

I done it many times. I can provide you case numbers and SMC if you want. Those cases was opened after date of release last version of Kaspersky on RSA Live (2015-04-15). At this time I can't have access to Kaspersky logs on English, only on Russian. But I can say that the parser don't parse events of uninstall programs (events of installed programs parsing well).

0 Likes

Anonymous
Not applicable
In response to AlexeyFedorov

‎2016-03-31 09:15 AM

Hi Alexey,

 

I'll send a direct message and see if we can get some movement for you.

 

Thanks,

Guy

 

Guy Williams | Principal Product Manager, RSA Security Analytics

RSA, The Security Division of EMC

© 2022 RSA Security LLC or its affiliates. All rights reserved.