NetWitness Community

I don't have RSA security analytics as a log parsers on our decoder.  Am I missing something?  I also don't see the .xml inside your ZIP to add it to the log parsing.

Thanks!

[xxxx@xxxxxxxx devices]$ ls |grep rsa

rsaaah

rsaaaop

rsaaccessmanager

rsaacesrv

rsaarcher

rsaaveksa

rsacm

rsadlp

rsaecat

rsafim

rsakeymanager

rsavlr

[xxxx@xxxxxxxx devices]$

[xxxx@xxxxxxxx devices]$ pwd

/etc/netwitness/ng/envision/etc/devices

Sean,

Sounds like the file did not download correctly or the zip program is not extracting it properly.  I was able to successfully download (under another account), unzip and validate the contents, so the file on the site is good.  The application I used to unzip it was 7-zip.

Check your zip file.

MD5: bd80feeaefaa714dba12c26168ca93e0

You should see a folder inside of the zip file called rsasecurityanalytics containing the xml and supporting files.

The contents of the zip file should be:

rsasecurityanaltyics <Folder>

          rsasecurityanalyticsvendor.txt

          rsasecurityanalyticsmsg.xml

          rsasecurityanalyticsclient.txt

          rsasecurityanalytics.ini

Security Analytics Log Parser Alert Rules.xlsx

Sample Alerts 1.4.zip

Installation Instructions.pdf

Change Log.txt

Apparently had a bad zip, redownloaded it and all the files are there.  Thanks!

Random question, does the ESI tool that worked with envision work the same with SA?  The esi.deviceclass seems similar to something it would have written.

Yes, I used the ESI tool to create and test it.  I also used Notepad++ with the XML plugin to modify it.

Very good initiative!

Thanks...

Thanks a lot for fullfilling my feature request! 😄

Today I found one unparsed message so here it is for some future release

================

<!--Feb 26 15:23:51 sa-siem01 nw[2806]: [OdbcCollection] [info] [esetv5.eset_avmngt01] [processing] [eset_avmngt01] Published 0 ODBC events: last tracking id: 2014-02-26 13:56:14.000 -->

  <MESSAGE

  level="6"

  parse="1"

  parsedefvalue="1"

  tableid="89"

  id1="OdbcCollection"

  id2="OdbcCollection"

  eventcategory="1600000000"

  content="[&lt;event_type&gt;] &lt;event_description&gt;"/>

===============

How do I upload the alerts/rules so that I don't have to create them manually?

Thanks! I will add it on the next version.

Import them from the Alert control panel/screen/whatever you want to call it.

Be sure to check all of the checkboxes on import. 

(rules, list, and alert, if I remember correctly).

Here is some documentation if you need it for the Alert Control Panel.

For 10.3  (the alert control panel is under Administration-->Reporting-->Manage then choose "Alert")

Import An Alert

http://sadocs.emc.com/0_en-us/095_10.3_User_Guide/55_Reporting/Alert_Overview/Import_an_Alert

For 10.2

Alert Control Panel  (The import icon is displayed at the top of the control panel)

http://sadocs.emc.com/0_en-us/199_10.2_User_Guide/Alerter_Module/Alerter_Define_View/01_Alert_Panel

Import an Alert.  (this one was missing some screenshots that are shown in the previous link)

http://sadocs.emc.com/0_en-us/199_10.2_User_Guide/Alerter_Module/Alerter_Define_View/01_Alert_Panel/2_Import_an_Alert

The docs aren't as precise as I would like them to be, but they should get you in the right spot for importing everything.

Hope this helps.

Ahh, sadly I missed that! Got it now, thanks a bunch.

You are welcome.  Enjoy.

Hi All

We don't have ESA so still that time we have to use CEP but if we are try to search CEP Module rule .Its only 15 Rule are displaying so do you know any place where we can get couple of rule which I can import to RSA SA. Till I have ESA...

Hello this is a nice feature, by any chance do you have any documentation on how to create log parsers? I have the documentation for sessions (LUA & Flex) but I'm interested in log.

Hello

Could you give your email. I will sent you some documents about creating and implementing new parsers

Hi Sergey,

i also need the document to create parser if you can send me too, then it will be great help.

my mail id rajveeryadav004@gmail.com

thanks in advance.

hello sergei! can you send it to ilinux@me.com, thak you!

Version 2 of this parser is available now.

Eric,

The query time is the time elapsed from when the query was submitted (started) to when the query was completed.  Queue time is when there are no more query threads available and the queries are queued until it can be serviced.  The queries would be someone clicking on items in Investigation, reports, report engine alerts, charts, dashlets, etc...  So what you want on query time is a low number, the lower the number the faster the query was completed and a better user experience in Investigation as well as other areas.

Eric,

Sorry for the delay, I am not getting notifications that comments have been posted for some reason.

Query time is the time that it took to complete the requested query from Investigation or other query source.  Queue time is how long it waited in the queue before the query could begin.  You want these numbers to be low, lower numbers mean faster response (better user experience).  Most of the time the queue time will be "00:00:00" but if you have a non zero number in queue time that means that your Investigation queries are getting backed up and queued.  Queuing of queries should be infrequent and a low number, say less than a minute.

Thanks...

leonardc