This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How apply a parser for a device

Go to solution
Anonymous
Not applicable

‎2014-06-11 09:13 AM

Hi,

 

I have some logs from a Red-Hat server which are interpreted as Big-IP logs.

 

How can I configure my Log Decoder to use only one specific parser for a specific device IP?

 

(I must keep the Big-IP Parser...)

 

Thanks!

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
11 REPLIES 11

Go to solution
Anonymous
Not applicable

‎2014-06-11 09:28 AM

I would also love to know this.  I have resorted to reparsing with in rhlinux just to get around it. 

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-06-11 11:26 AM

you can drill down like this: device.ip='xxx' && device.type='rhlinux'

 

i don't think there is configuration for the parser, unless modify the parser.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-06-11 12:55 PM

Is it really impossible to do something like this on Log Decoder (pseudo code) :

 

if device.ip == (10.0.0.1|10.0.0.2|10.0.0.3) {

     parser = redhat

} else if  device.ip in 10.0.1.0/34 {

     parser = cisco

} else {

     try all parsers...

}

0 Likes

Go to solution
huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-06-12 03:33 AM

i don't see this function. maybe can check with support and raise a feature request.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-06-24 05:34 AM

Hi,

I have the same issue.

As a workaround I would recommend only to turn on parsers that you actually need on decoder as lots of syslogs look the same and SA can misinterpret it.

In Envision we had a possibility to change device type if it was misinterpreted and force use of specific parser. Here we have tons of "multi-device" (lot's of different event sources on one ip) because lots of log look the same. For example I have one device with types: bigip, rhlinux, junosrouter and in fact it's a rhlinux. If rhlinux parser cannot parse this log I would prefer it to be unknown (unparsed) not to mislead reports and investigations.

The feature you're talking about, or interpretation of envision possibilities would be really great.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-06-27 02:49 PM

That appears to be the only option currently.  I also have been adding new headers/parsers to linux to take care of the outliers (mostly bigip) then giving them distinct messageids that I can track. 

0 Likes

Go to solution
Anonymous
Not applicable

‎2015-08-08 06:28 PM

Solution : Map IP Address to Device Type - RSA Security Analytics Documentation

0 Likes

Go to solution
VarunPrabhakar
Contributor Contributor
Contributor
In response to Kamarul

‎2021-11-17 01:46 AM

Hello Kamarul,

The document you're referring to is no longer available, please refer to the steps below:

Follow these directions to configure a specific device parser when collecting logs from a given event source. These steps are conducted in the Security Analytics UI as an administrator.
Go to Explore view of the Log Decoder service.

For 11.x, Admin -> Services -> <Log Decoder > -> View -> Explore
Navigate to Decoder -> Parsers.
Right-click Parsers and select Properties.
From the drop-down, select ipdevice.
In the parameters field, enter the following: op=edit entries=+<ip_address>=<parser_name>

 

Thanks

 

 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.