NetWitness Community

SureshThanikach · ‎2018-12-24

Hi All,

We are looking for a Parser for PureStorage in netwitness 11.2 currently all the logs sent from pure storage is been parsed under ciscorouter or let me know is there any document/guide on how to use the log parser which is a feature in 11.2 ?

EricPartington · ‎2018-12-24

please provide sample raw logs exported from NetWitness UI so that we can take a look.

There is also the Log Parser Tool that can be used to build a parser for this event source

https://community.rsa.com/docs/DOC-94172

SureshThanikach · ‎2018-12-25

Hi Eric,

Below is the raw logs from Netwitness for PureStorage version :- 5.1.6

Dec 20 07:35:02 00W222-rty-ct1 purity.audit: (login message ID: 11190288) Array name: '00W222-rty' Controller: 1 Interface: 'GUI' Module: '' Session: 'a96718a0-e5bc-4d3b-8b19-6913fb6d8ccd' UTC Time: 2018-12-25T03:33:55Z User: 'test2' Location '255.255.255.255' Sublocation: 'Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36' Action: 'session start' Method: 'password' Result: Success Description: ''
Dec 20 07:40:01 00W222-rty-ct1 purity.audit: (login message ID: 11189465) Array name: '00W222-rty' Controller: 1 Interface: 'GUI' Module: '' Session: 'b8bc2340-5b31-457e-bcff-3d284f9ceee4' UTC Time: 2018-12-25T03:38:51Z User: 'test2' Location '255.255.255.255' Sublocation: 'Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36' Action: 'session end' Method: '' Result: Success Description: ''
Dec 19 14:04:17 00W222-rty-ct1 purity.audit: [test1] purearray setattr --syslogserver UDP://255.255.255.255:514. Message ID: 10090256 UTC Time: 2018-12-19T10:04:17Z Array Name: 00W222-rty
Dec 19 14:29:42 00W221-rtz-ct1 purity.test: INFO [test] This is a test message generated by Pure Storage FlashArray. UTC Time: 2018 Dec 19 10:29:42 Array Name: 00W222-rty
Dec 19 14:30:02 00W222-rty-ct1 purity.audit: (login message ID: 10090257) Array name: '00W222-rty' Controller: 0 Interface: 'GUI' Module: '' Session: '563f1d36-5148-428b-a666-44a68682b095' UTC Time: 2018-12-19T10:25:27Z User: 'test1' Location '255.255.255.255' Sublocation: 'Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko' Action: 'session start' Method: 'password' Result: Success Description: ''
Dec 19 14:50:02 00W222-rty-ct1 purity.audit: (login message ID: 11190258) Array name: '00W222-rty' Controller: 1 Interface: 'GUI' Module: '' Session: '7cf0c96b-1cc6-4e62-902f-02v54d51b50a' UTC Time: 2018-12-19T10:47:01Z User: 'test1' Location '255.255.255.255' Sublocation: 'Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko' Action: 'session end' Method: '' Result: Success Description: ''
Dec 19 15:00:02 00W221-rtz-ct1 purity.audit: (login message ID: 11090259) Array name: '00W222-rty' Controller: 0 Interface: 'GUI' Module: '' Session: '563f1d36-5418-428b-a666-46s38682b095' UTC Time: 2018-12-19T10:56:02Z User: 'test1' Location '255.255.255.255' Sublocation: 'Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko' Action: 'session end' Method: '' Result: Success Description: ''
Dec 19 14:50:02 00W222-rty-ct1 purity.audit: (login message ID: 10090258) Array name: '00W222-rty' Controller: 1 Interface: 'GUI' Module: '' Session: '7cf0c96b-1dd6-46r2-902f-02uuhy51b50a' UTC Time: 2018-12-19T10:47:01Z User: 'test1' Location '255.255.255.255' Sublocation: 'Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko' Action: 'session end' Method: '' Result: Success Description: ''
Dec 19 14:26:03 00W222-rty-ct0 purity.test: INFO [test] This is a test message generated by Pure Storage FlashArray. UTC Time: 2018 Dec 19 10:26:03 Array Name: 00W222-rty
Dec 19 16:41:17 00W222-rty purity.alert: WARNING No link on ethernet interface CT0.ETH3 [42] A configured ethernet interface (CT0.ETH3) cannot establish a data link connection. Pure Storage Support is not notified of this alert. If you have any questions, please contact Pure Storage Support. Severity: Warning UTC Time: 2018 Dec 19 12:41:03 Array Time: 2018 Dec 19 16:41:03 +04 Array Name: 00W222-rty Domain: xxx.com Suggested Action: Check the switch port, speed, duplex, and cabling. If the interface is not in use, it can be disabled using the purenetwork command. Knowledge Base Article: https://support.purestorage.com/?cid=Alert_0042 Purity Version: 5.1.6 Array ID: 49218856-1e88-4d8e-98a7-318b5e0ba474 CA Array ID: 1322910-25914598-1673163419944872609 Controller Name: ct1 Controller Serial: PCTFL18312339 Chassis Serial: PCHFL18311122 UUIDs: ['fdec4389472648469760c8ebc689b992'] Variables: (below) Output: ct0.eth3 disconnected
Dec 19 16:42:58 00W221-rtz-ct0 purity.alert: WARNING No link on ethernet interface CT1.ETH2 [42] A configured ethernet interface (CT1.ETH2) cannot establish a data link connection. Pure Storage Support is not notified of this alert. If you have any questions, please contact Pure Storage Support. Severity: Warning UTC Time: 2018 Dec 19 12:42:57 Array Time: 2018 Dec 19 16:42:57 +04 Array Name: 00W222-rty Domain: xxx.com Suggested Action: Check the switch port, speed, duplex, and cabling. If the interface is not in use, it can be disabled using the purenetwork command. Knowledge Base Article: https://support.purestorage.com/?cid=Alert_0042 Purity Version: 5.1.6 Array ID: 49218856-1e88-4d8e-98a7-318b5e0ba474 CA Array ID: 1322910-25914598-1673163419944872609 Controller Name: ct0 Controller Serial: PCTFL18212305 Chassis Serial: PCHFL18311122 UUIDs: ['7678059ce6fe4c9da0fa215aed8fd193'] Variables: (below) Output: ct1.eth2 disconnected

NetWitness Community

Is Parser available for PureStorage in netwitness 11.2 ?