This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to order parser in Log Decoder 10.6.x

MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2018-02-19 11:15 AM

I have a customer running NW 10.6.3 and we have several parsers enabled like:

rhlinx, bigip, mcafeegw, solaris, aix, hpux and several unix flavor parsers...

The problem that I'm facing is the following:

I have several event sources that produce events with ntp and there are parsed as McAfee Web Gateway instead other unix/linux OS (as result, the customer sees over 200 devices labeled as McAfee Web Gateway when in reality he has onlye 4 Mcafee Proxies). There is any method that I can use to order/priorize for example solaris, rhlinux or aix parser over mcafee web gateway? (I think the alphabetic order of the device name is used in the decoder to priorize the parser wich is used)

 

Regards,

Max

0 Likes
5 REPLIES 5

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-02-19 11:24 AM

There is no way to order the way parsers are evaluated.  However for the situation you describe the best course would be to map those devices to only use a specific parser.

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to DaveGlover

‎2018-02-19 12:28 PM

Thank for your reply Dave, in 10.6.x I can only map parsers that are enabled in the decoder, right?

0 Likes

EricPartington
Employee
Employee
In response to MaximilianoCitt

‎2018-02-20 08:42 AM

Parsers are matched to devices based on internal scoring from header matches.  This is what is exposed and enhance in NW11 event source discovery to help provide visual indication of the confidence of a match and allow the admins to force match ones that are very weak matches (rhlinux and others).

In your case, using the device parser option (depending on your version) to  map the rhlinux devices to  that parser (enabled on the log decoder) to avoid weak matches to other device types.  There is a file on the file system that you can edit manually (xml) or using the rest interface (early versions) and then in the UI on each decoder/ config (later 10.6 versions).

 

forcing a match to a parser should be to ones that are enabled (you want to force matches to a devicetype so that its parsed properly.)  Order of the file is important, the parser will match the first one before the second if you have multiple parsers per device forced (rhlinux + apache etc.)

 

Also make sure that if you start using this force match then you should check regularly for

device.type exists && word exists

which would  indicate that you have a forced match but the parsers cant extract useful information and most likely the device.type changed or the parser list is incorrect. (the parser is forcing the device.type but no matching messages exist).

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to EricPartington

‎2018-02-20 10:17 AM

Another Query that I use a lot is 'device.type = {your device} && msg.id !exists'  That will show you all the messages that we do not parse for a given device

0 Likes

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to EricPartington

‎2018-02-20 10:20 AM

Thank you very much Eric!

I'm currently disabling the mcafeewg parser from the Config of the decoder and map the device type to the 4 proxies IPs. That works fine for me. I have also an ESA rule to check whenever a device type and word metas exists on the same event to alert me whenever there is a miss parsed event.

I'm planning to do the same with other linux based products like bigip because a simple "cron job" event is matched as bigip instead of a rhlinux device, causing the ESM groups and monitoring policies a little bit noisy.

 

thank you again for the explanation

regards,

Max

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.