This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Did CEF parsing break in 10.6.5 ?

david_waugh
Beginner
Beginner

‎2018-02-08 07:34 AM

We have just upgraded to 10.6.5 and CEF parsing seems to have stopped working.

I used to send ESA alerts as syslog to our log decoder and the CEF messages would then get parsed.

 

 

The message was created with the following template.

 

<#include "macros.ftl"/>
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId} <#list events as metadata><#list metadata?keys?sort as key> ${key}=<@value_of metadata[key]/></#list></#list>

0 Likes
9 REPLIES 9

EricPartington
Employee
Employee

‎2018-02-08 09:00 AM

does the alert fire a syslog message but not get parsed or did the template not fire and no syslog message was sent?

 

can you tcpdump during a test fire of the rule and check the esa logs to see if for some reason the template options changed in freemarker and broke your template.

0 Likes

david_waugh
Beginner
Beginner
In response to EricPartington

‎2018-02-08 01:24 PM

Thanks Eric. I can see the log Message in the investigation GUI. It just isnt parsed. it comes up as device type CEF. I have a parser IP binding on the log decoder for the ESa IP with the order cef,rsasecurityanalytics,rhlinux.

 

I changed the template to the default Syslog Template for ESA and the result was the same. The device type of the message was CEF rather than the cef parser derived device type from the message.

 

This was all working before the 10.6.5 upgrade so I think 10.6.5 has broken something.

0 Likes

EricPartington
Employee
Employee
In response to david_waugh

‎2018-02-08 01:28 PM

Does seem like a defect, i wonder if somehow the cef, in the device parser override is taking that literally and not letting CEF create the device.type and using that string literally.

 

Open a defect

0 Likes

david_waugh
Beginner
Beginner

‎2018-02-19 12:09 PM

Confirmed as a bug and reproduced by support. How did this get through testing?

0 Likes

someone
Contributor
Contributor
In response to david_waugh

‎2018-02-21 12:36 PM

We have just finished testing this as customers and it failed the Alpha testing. They had to release the software first, so that customers could grab and test it. 

david_waugh
Beginner
Beginner
In response to someone

‎2018-02-22 04:16 AM

Unfortunately when it comes to Netwitness Upgrades I sometimes feel this is like Russian Roulette. I always have to think in the back of my mind "What will break this time?"

 

If it worked before the upgrade it should work after the upgrade.

 

Come on RSA you can do better testing than this!

0 Likes

HuanZhou
Contributor Contributor
Contributor

‎2018-02-25 11:48 PM

What's the support case number? We're using 10.6.5 with CEF parser (have some customization), but testing result it's ok. So only the ESA CEF alert issue? Or issue with all the CEF logs? 

0 Likes

david_waugh
Beginner
Beginner
In response to HuanZhou

‎2018-02-27 05:29 AM

Hello support case number is  01117016.

If your device is 1.2.3.4 and you have parser mapping linked to device 1.2.3.4 then CEF parsing wont work.

0 Likes

EmmanueleLaPort
Beginner
Beginner

‎2018-03-21 01:33 PM

Hello David,

 

mapping CEF parser with an IP in 10.6.5 brakes the CEF parser, not just the device.type but all the variables from the template are affected. 

The temporary solution is to REMOVE the link between all the CEF device type linked to the ips

 

Regards Emmanuele

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.