2015-07-06 02:00 AM
Hello Guys,
I have a doubt, last week I applied an SecurityAnalytics 2.0 parser on my SA. Now here I have one doubt.
I have two sites, i.e., Prod & DR with different SA & Log Decoder appliances, so I had applied the parser first on the DR Log Decoder and also applied the Broker & Concentrator (DR) Index file, as we use 1 broker for investigation purspose, to view all the data from every concentrator.
Now do I need to apply the same parser on the Prod Log Decoder and do the same on Concentrator also, if I"ll do it did I get the "rsasecurityanalytics" device type twice or only once.
Kindly suggest.
Regards,
Deepanshu Sood.
2015-07-06 08:00 AM
Hey Deepanshu,
You only need to add the Log Parser to the Log Decoders and then issue a parser reload.
NwConsole -c login localhost:56002:ssl <user> <password> -c decoder/parsers reload
2015-07-06 08:14 AM
Hi Lee,
I had done this and everything getting parsed properly.
Thanks for your point.
Regards,
Deepanshu Sood.
From:"LeeKirkpatrick" <emc-community-network@emc.com>
Date:Mon, 6 Jul, 2015 at 16:01
Subject:Re: - RSA Security Analytics Parser Architecture
ECN
RSA Security Analytics Parser Architecture
reply from LeeKirkpatrick in RSA Security Analytics - View the full discussion
Hey Deepanshu,
You only need to add the Log Parser to the Log Decoders and then issue a parser reload.
NwConsole -c login localhost:56002:ssl -c decoder/parsers reload
Reply to this message by replying to this email, or go to the message on ECN Start a new discussion in RSA Security Analytics by email or at ECN Following RSA Security Analytics in these streams: Inbox Following RSA Security Analytics Parser Architecture in these streams: Inbox