How to identify the version of a device's Log Parser that is installed on a NetWitness Log Decoder?
For a particular device is the latest Log Parser installed on the NetWitness Log Decoder?
To find the installed version of a device's Log Parser file on a NetWitness Log Decoder.
ssh login to the Log Decoder.
The installed device types on the Log Decoder are under the /etc/netwitness/ng/envision/etc/devices directory.
A separate sub-directory exists for each device type.
For example,
# ll /etc/netwitness/ng/envision/etc/devices |head
total 1184
drwxr-xr-x. 294 root root 12288 Jul 11 2017 .
drwxr-xr-x. 2 root root 4096 Aug 26 2018 accurev
drwxr-xr-x. 2 root root 4096 Aug 26 2018 actiancevantage
drwxr-xr-x. 2 root root 4096 Aug 26 2018 actividentity
drwxr-xr-x. 2 root root 4096 Aug 26 2018 aforecloudlink
drwxr-xr-x. 2 root root 4096 Aug 26 2018 airdefense
drwxr-xr-x. 2 root root 4096 Aug 26 2018 airmagnet
drwxr-xr-x. 2 root root 4096 Aug 26 2018 airtightmc
drwxr-xr-x. 2 root root 4096 Aug 26 2018 aix
To display the installed version of a device's Log Decoder parser file, look at the "xml=" and "revision=" values near the top of the device's .xml file.
For example this aix device, the parser .xml file has values of xml="117" and revision="107",
# head /etc/netwitness/ng/envision/etc/devices/aix/*xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<DEVICEMESSAGES>
<VERSION
xml="117"
checksum="44391d341c54c0f43bb5063c473c181e"
revision="107"
enVision="21050025"
device="2.0" />
<HEADER
Compare the above-found version values with the latest available for download from RSA Live in the NetWitness UI.
In the NetWitness UI go to,
NetWitness 11.x: Configure, Live Content tab
NetWitness 10.6.x: Live > Search
Search for the device type name in the Keyword field, or select "Log Device" under Resource Types to see all Log Decoder device types.
The Description field of each device type shows "Parser Version:" and "Event Source Update:" values, and are the latest version available for deployment to the Log Decoder.
Compare "Parser Version:" with "xml=" and compare "Event Source Update:" with "revision=".
For example, RSA Live shows the aix Parser Version: 136, Event Source Update: 130
In this example the aix device parser could do with a parser file update to the latest available version.
Image description