Hello.
Need assist with parser work issue.
I've modifyied original parser of postgres using -custom.xml method (postgresqlmsg-custom.xml): modified/added some Messages.
For example:
<?xml version="1.0" encoding="ISO-8859-1" ?>
<DEVICEMESSAGES
name="postgresql"
displayname="PostgreSQL"
group="Database">
<VERSION
xml="29"
checksum="0df2e10151dbc7b76fb2f188fd05b683"
revision="135"
device="2.0"/>
<MESSAGE
id1="authentication:100"
id2="authentication"
insertBefore="authentication"
eventcategory="1609000000"
functions="<@ec_subject:Database><@ec_theme:DB-Connection><@ec_outcome:Failure><@msg:*PARMVAL($MSG)><@:*SYSVAL($MSGID,$ID1)><@event_time:*EVNTTIME($MSG,'%W-%G-%F %N:%U:%O',fld5,fld8)><@starttime:*EVNTTIME($MSG,'%W-%G-%F %N:%U:%O',fld6,fld9)><@obj_name:*PARMVAL(db_name)><@ec_activity:*PARMVAL(severity)>"
content="<fld1>[<process_id>]: [<fld2>-<fld3>] #PostGreSQL: <fld4>^^<fld5> <fld8> <timezone>^^<username>^^<db_name>^^{ [<saddr>]^^ | <saddr>(<sport>)^^ }<sessionid>^^<fld6> <fld9> <fld10>^^<severity>: password authentication failed <fld11>" />
</DEVICEMESSAGES>
Log Parser Tool (using modified parser) shows everything OK, as I expect.
I load it to the LogDecoder: /etc/netwitness/ng/envision/etc/devices/postgresqlmsg-custom.xml
and run parser reload command:
NwConsole -c login localhost:56002:ssl admin <password> -c decoder/parsers reload
RSA NetWitness NextGen Console 11.5.2.0
Copyright 2001-2020, RSA Security Inc. All Rights Reserved.
>login ...
Successfully logged in to localhost:56002 as session 1966977
>decoder/parsers reload
The parsers have been reloaded
After that I generate neccessary event and find for it in Investigate.
I get bunch of metas like "word" with no messageid for Message that I want.
header.id is "0004" - it's correct.
Without any -custom.xml file result is the same.
Modifiying original parser - result is the same.
