Issue | This article provides the steps to check or verify the unknown or undefined logs in the RSA Netwitness. And also to know about the UDS (Universal Device Support) process. |
Tasks | 1. Verify the event source version, if that is present in the Netwitness supported event source list or not. Below is the link to the updated content: https://community.rsa.com/community/products/netwitness/parser-network/event-sources If the event source is still in the supported list and the respective logs are unknown or undefined, then follow the procedure mentioned in the resolution to confirm the status.
2. If the versions are not supported or if it is a new event source then please raise an enhancement request w.r.t the below link:
3. If it’s a custom application then please go through the UDS (universal device support) process. For more information, please contact the local sales or professional service team.
You can also download the latest version of ESI tool from the below link to develop your own UDS. RSA Security Analytics ESI Tool Downloads However it is recommended that you should test your new parser on a test environment first before deploying them in any production system. We will also update the best practice and guidelines on creating a new UDS package soon. |
Resolution | If the event source is in the supported event source list and still the logs are going as unknown or undefined then follow the below procedure to verify the status:
1. Verify and confirm the latest ESU (event source update) version from the below path:
[root@LDecoder etc]# cd /etc/netwitness/ng/envision/etc [root@LDecoder etc]# cat esu-ver.dat 20170201-012948 Where 20170201, represents the updated date which is in YYYYMMDD format.
Note: RSA releases updates every month and the same can be verified in the LIVE as well. If still the logs are going under unknown or undefined even after the latest ESU is updated then please provide the below information while opening a CS ticket: a. Sample logs ( multiple sample logs for a single log category) by extracting from the investigation window b. Event source version c. Log collection type ( e.g. syslog, ODBC, SNMP etc)
Note: if the sample log file size is exceeded to the size which is allowed in the email then follow the attached procedure to upload them on the SFTP link and update the file ID in the case. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.