2021-03-12 01:37 AM
Hello.
Need assist with parser work issue.
I've modifyied original parser of postgres using -custom.xml method (postgresqlmsg-custom.xml): modified/added some Messages.
For example:
Log Parser Tool (using modified parser) shows everything OK, as I expect.
I load it to the LogDecoder: /etc/netwitness/ng/envision/etc/devices/postgresqlmsg-custom.xml
and run parser reload command:
NwConsole -c login localhost:56002:ssl admin <password> -c decoder/parsers reload
RSA NetWitness NextGen Console 11.5.2.0
Copyright 2001-2020, RSA Security Inc. All Rights Reserved.
>login ...
Successfully logged in to localhost:56002 as session 1966977
>decoder/parsers reload
The parsers have been reloaded
After that I generate neccessary event and find for it in Investigate.
I get bunch of metas like "word" with no messageid for Message that I want.
header.id is "0004" - it's correct.
Without any -custom.xml file result is the same.
Modifiying original parser - result is the same.
2021-04-28 12:56 AM
2021-03-12 01:39 AM
Raw log example:
Mar 12 11:05:30 test-db postgres[5896]: [4-1] #PostGreSQL: authentication^^2021-03-12 11:05:30 ALMT^^parsing_user^^parsing^^192.168.0.1(49442)^^604af69a.1708^^2021-03-12 11:05:30 ALMT^^FATAL: password authentication failed for user "parsing_user"
2021-04-26 10:38 AM
Hi @MaximMarchenko ,
I was searching through the forums to clean them up and I noticed yours here in the general forum. Have you received an answer to your question? If not I could move this to the NetWitness specific forum where subject matter experts would be able to help out, and if that doesn't get your answer we could alternatively open up a support case for you.
2021-04-28 12:56 AM
Hi.
No, I have not, but I've handled it by myself.