Somobody has solution how I can transformate data from user.agent metakey (Log and Packet) to some like Device, OS, Application via Feed or LUA Parser? I found some FlexParser in RSA Live, but it is not I want. I found some site like Complete List of iOS User-Agent Strings | Enterprise iOS with DB of iPhone/iPad/IPod, but data is old and I can't create suitable Feed.
PHP installed on the RSA Security Analytics by default? You solution is great, but if need additional Virtual Machine or Physical Server with PHP Web Server it can be problem. For example for me it is not applicable at this time. Solution should works on the current instance.
Success - here is a version that does not need a Webserver but you do need a server with PHP on it. This would need to be different from an Security Analytics Server as none of them have PHP installed on them and it is not available within our repository.
There is the wrapper script (./UserAgentInfoScript.sh) and the php script (script.php) it calls.
To run just run ./UserAgentInfoScript.sh (after changing the line to point to your broker)
I've attached a sample feed too and XML file to load the feed.
gets all the values that are in the current index slice, so depending on how often your slices roll over will depend on how often your need to query. Hourly should be more than enough.
I would check how the values of
"bajbaaaagwbaaaabaaqpty3q9x9agtjzrlamh1dpu2jq5hnaaawjaiaajaa=" are getting into your user agent meta key, and then improve parser to drop these. If you cant clean up the parser and they are valid then you could amend the LUA parser to not write them. These sorts of strings are a hazard to Security Analytics as you can quickly end up exhausting all the value available in the particular meta key that is being written to.
I need to make a few changes to my script. Currently I just delete the old feed and then reprocess all the user agent strings again. What I will do is keep adding to the feed if no strings are received.