Default Enabled Parsers

dmontgomery · ‎12-15-2023

In the Admin > Device > Parsers many (all) are enabled but many are for devices we do not have in our environment. Does having unused parsers enabled affect the SIEM performance? Would it make sense to disable them?

sioannou · ‎12-20-2023

Hi,

Parsers are evaluated in the order they appear. If there is a match the parser is utilised and evaluation stops at the parser. In general yes you can disable the ones not utilised but in general the Parser system is a very high performance system to be in a position to manage EPS in the millions in certain deployment.

The final decision is yours, disabling them does not cause any harm but be very careful with Parsers that are utilised for multiple sources (like CEF, JSON etc).

Let me know if there are any additional questions.

Regards,

S

View solution in original post

sioannou · ‎12-20-2023

Hi,

Parsers are evaluated in the order they appear. If there is a match the parser is utilised and evaluation stops at the parser. In general yes you can disable the ones not utilised but in general the Parser system is a very high performance system to be in a position to manage EPS in the millions in certain deployment.

The final decision is yours, disabling them does not cause any harm but be very careful with Parsers that are utilised for multiple sources (like CEF, JSON etc).

Let me know if there are any additional questions.

Regards,

S