Article Number
000001825
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.1.0
Platform: CentOS
O/S Version: 7
Issue
Log parser rules created as per
Documentation. However, the messages required parsing is not working.
Cause
There are two use cases for dynamic parsing with the current support:
- Parse out all the important information from the log that is not parsing through any xml parser:
In that case, log parser rules can be created for new event sources which we don’t support as of now. Make sure to map device ip to the parser as there will be no headers(for discovery) just log parser rules in the parser(token file).
- Parse out information from the log that is parsing against the header but not matching any message id(extended parser capabilities):
In this case, log parser rules can be created for an existing event source but only to parse out information from logs, which are parsing against one of the headers in the parser but none of the message ids.
The third category where the log parses against a header as well as message id in the log parser, so we don’t support rules in such use case.
Resolution
This may be fixed in 11.4 version as per current status of Internal JIRA ASOC-79906
