Article Number
000002814
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
Issue
In the event of a syntax error when a custom change is made to device parser, errors appear in the in /var/log/messages file, similar to the sample below.
Oct 6 16:56:56 xxxx-xxxxx nw[3269]: [LogParse] [warning] Message parse failure in file ciscoiportwsa: Throw location unknown (consider using BOOST_THROW_EXCEPTION)Dynamic exception type: boost::exception_detail::clone_impl<boost::exception_detail::error_info_injector<boost::spirit::qi::expectation_failure<__gnu_cxx::__normal_iterator<char const*, std::string> > > >std::exception::what: boost::spirit::qi::expectation_failure[nw::envision::(anonymous namespace)::content_tag*] = <@domain:*URL($DOMAIN,url)><@web_domain:*URL($DOMAIN,url)><@web_root:*URL($ROOT,url)><@webpage:*URL($PAGE,url)><@:*SYSVAL($MSGID,$ID1)><@event_time:*EVNTTIME($MSG,'%D/%B/%W:%N:%U:%O',fld20)><@msg:*PARMVAL($MSG)> <saddr> { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::(anonymous namespace)::expectation_failure_start_tag*] = { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::id1_tag*] = CONNECT[nw::envision::id2_tag*] = CONNECT
This article describes how to rectify that condition.
Resolution
To identify the fault, note the failure conditions highlighted below.
Oct 6 16:56:56 xxxx-xxxxx nw[3269]: [LogParse] [warning] Message parse failure in file ciscoiportwsa: Throw location unknown (consider using BOOST_THROW_EXCEPTION)Dynamic exception type: boost::exception_detail::clone_impl<boost::exception_detail::error_info_injector<boost::spirit::qi::expectation_failure<__gnu_cxx::__normal_iterator<char const*, std::string> > > >std::exception::what: boost::spirit::qi::expectation_failure[nw::envision::(anonymous namespace)::content_tag*] = <@domain:*URL($DOMAIN,url)><@web_domain:*URL($DOMAIN,url)><@web_root:*URL($ROOT,url)><@webpage:*URL($PAGE,url)><@:*SYSVAL($MSGID,$ID1)><@event_time:*EVNTTIME($MSG,'%D/%B/%W:%N:%U:%O',fld20)><@msg:*PARMVAL($MSG)> <saddr> { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::(anonymous namespace)::expectation_failure_start_tag*] = { { "<fld1>\<c_username>@<fld2>" | <c_username> }@<fld1> | - } <fld2> [<fld20> <timezone>] "<web_method> <url> <version>" <resultcode> <rbytes> <action>:<fld4> <duration_string> <policyname> <<<fld17>,{ ns | <reputation_num> },<fld18>> <fld19>[nw::envision::id1_tag*] = CONNECT[nw::envision::id2_tag*] = CONNECT
The green tells you what parser experienced the failure.
The yellow tells you what MESSAGE element id1 in which the failure occurred.
The turquoise gives you a brief boost reason for the failure.
The pink tells you the failure occurred in the MESSAGE element content attribute and continues to give you the value for the content attribute.
The orange tells you where the failure started in the content attribute.
From here, we can quickly see that the syntax is not correct, and the light grey tells you the portal that is in question.