NetWitness Community

huanzhou1 · ‎2013-10-09

How to deploy the event source package created by ESI?

RSAAdmin · ‎2013-10-24

The xml filename doesn't have to do anything with it's content. It's just how the guy who wrote the parser decided to name it.

To make content 2.0 parser you should use content 2.0 table (the full list of them is in ESU docs, for example unix or access tables). You can check that you've used the right table - you will have "device="2.0"" field in the ESI generated parser xml header.

huanzhou1 · ‎2013-10-24

thanks. got it.

For the <version xml=1> , does it mater?

#Event source XML file version:2.0

#Log collection method:

#Date&Time:Thu Oct 24 22:39:13 SGT 2013-->

<VERSION

xml="1"

checksum=""

revision="0"

enVision=""

device=""/>

Anonymous · ‎2013-10-28

The device parameter must be 2.0. If the the xml file doesn't have device="2.0" it means that the parser is not 2.0 compatible.

Rgds,

huanzhou1 · ‎2013-11-04

thanks guys. will test out.

DavidAmacker3 · ‎2018-03-30

You do not actually have to restart the service on the Log Decoder. You can do the following to load the new parser.

1. Login to the NetWitness web interface.

2. Administration > Services > Log Decoder > View > Explore > Decoder (expand) > Parsers (right click) > Properties

3. On the right side of the screen in the bottom panel in the drop down box choose Reload > Send

4. Check the logs to see if the parser loaded correctly.
[root@logdecoder1 ~]# cat /var/log/messages | grep loaded

Mar 30 21:15:37 logdecoder1 NwLogDecoder[4937]: [LogParse] [info] File paloaltonetworks content loaded