NetWitness Community

Thanks!

You are welcome!

You are Welcome!

Nice!

Not a big deal but figured I would mention it for future releases.  In the excel doc Variable and Metakey info the monitored_device is actually linked to device.monitored, not monitored.device. 

Thanks again!

Ok, thanks for the heads up.  I will get it corrected.

Thanks for the update on what the issue was.

Hi leonardc,

I would like to thank you for your work.

I still wonder, how is possible, that parser for SA must be created by custommers. It's shame...

This was created by RSA PS not a customer.

You are welcome, and Sean is correct, as I work for RSA in Security Analytics Professional Services.

Thanks...

I work on this in my spare time and I can only work with samples I have or can generate on my test system.  If you can send me some sanitized samples and provide me some info on how they were generated that would be great.  I will add them in the next release.  Just send me a private message and we can work out the sample delivery details.

The current version works with 10.4.1.  The CentOS events would be parsed by the rhlinux parser.

Most SA service starts and stops from the CLI generate log events and are parsed, they just lack some additional events that provide context around that restart/start/stop.  The GUI service restart shows that it was user initiated and gives the user an opportunity to provide a reason for the restart.  Java based services like jetty, report engine, esa have their own logs and do not send to /var/log/messages, so these events are not seen nor parsed.  However some of these services now have audit features and have not yet been fully explored to see what events come from enabling the auditing.

There is no ETA for a newer version of the SA parser at this time, as I have said before this is something I do in my spare time.  Since it summer and it is daylight longer, that reduces my time on the computer and increases my other outside activities.

Hello Guys,

I have a doubt, last week I applied an SecurityAnalytics 2.0 parser on my SA. Now here I have one doubt.

I have two sites, i.e., Prod & DR with different SA & Log Decoder appliances, so I had applied the parser first on the DR Log Decoder and also applied the Broker & Concentrator (DR) Index file, as we use 1 broker for investigation purspose, to view all the data from every concentrator.

Now do I need to apply the same parser on the Prod Log Decoder and do the same on Concentrator also, if I"ll do it did I get the "rsasecurityanalytics" device type twice or only once.

Kindly suggest.

Regards,

Deepanshu Sood.

Deepanshu,

In a multi-site (multiple log decoders) it is a good idea to keep the parsers/table maps consistent on all log decoders.  The same goes with the indexes on the Concentrators/Brokers.  You will only see one device type in Investigation but you will see different log decoder sources for the device type rsasecurityanalytics.

Typically in a multiple site configuration the parser works best when the Security Analytics logs are sent to different log decoders.

For example you have two sites, Site1 and Site 2.  The SA Devices should be configured to as follows:

     Site1 SA Devices should send logs to the Site2 Log Decoder.

     Site2 SA Devices should send logs to the Site1 Log Decoder.

This way if any of the systems you are logging from have a problem in Site1 the events will be captured by Site2, processed and made available to the ESA (assuming you have one for each site or one that is looking at both sites) for alerting.  The same goes for Site2 sending to Site1.

leonardc

Hi #leonardc,

Hope you are doing well.

Well this time I am facing some issues regarding the parser for RSA Security Analytics.

All the SA components are going under multiple device type, like mentioned below

rhlinux (>1,000 - 16%)  - unknown (172)  - bigip (21)

And also if I opened and checked the logs under these meta keys, the logs are not clear so I am not able to understand the event like which activity it's reffering too. for more understanding kindly refer to the below mentioned logs.

Aug 19 11:53:56 DR-SA-LDEC01 nw[2902]: [WindowsStringsManager] [warning] unable to find operating system mapping for Windows 8.1 Enterprise; using default mapping (warning suppressed 188 times)

Aug 19 11:10:01 DR-SA-LDEC01 CROND[6810]: (root) CMD (/usr/lib64/sa/sa1 1 1)

So all these logs are very unclear to understand that what does this mean, and also the categoriztaion of this not going in the right fileds.

Pls suggest. Thanks a lot.

Regards,

Deepanshu Sood.

Deepanshu,

It is normal for the SA devices to show up as multiple device types as there are Linux CentOS logs along with other application logs, including SA application logs.  The three common device types that the SA systems should have in Investigation is "rhlinux", "rsasecurityanalytics" and "unknown".  The SA parser parses a subset of the SA application logs, as I don't have samples for every possible log that SA can generate, so there will be the "unknown" device type as well.  A general rule is that most SA application logs in /var/log/messages have the "nw[#####}" after the date and hostname.  The remaining logs are generally Linux CentOS operating system log entries, crond and anacron for example are most likely Linux scheduled jobs running to automate the management of the system.  There can be other entries but the most common is what I have described.  It is difficult to keep the "unknown" device type from the system as log entries get added or modified with updates and patches.

When the parser has no exact match for a log event, the log decoder finds the closest match using the parsers that it has enabled and when there is no match at all, it gets classified as "unknown".  You will find that there some odd matches like "crossbeam" is a common one I find that matches on some SA logs.  Unfortunately it does not give you any meta when this happens and basically is not much different than getting put in the "unknown" device type.

In short, if the parser has a good match for the log event, you get meta, if you have a bad match (incorrect device type) or the "unknown" device type you don't get any useful meta that you can use in investigation.

To resolve "unknown" log events, open a ticket with support and ask about how to get new "unknown" log events added to the parsers in Live.  You will need to be able to provide information regarding what generated the log event and the reason for the event.  You can use google to help with determining what generated the log event and what it means.  This only applies to parsers that come from Live, not custom parsers that were developed outside of the RSA Live Content, like this parser.  In that case you would need to contact the author of the parser and see if they can update the parser, or you also have the option to update the parser yourself if you are familiar with editing parsers.  In all cases you will need to know where the log event came from and the context/reason for this event to occur so that it can be properly classified and the values properly assigned to metakeys.

Thanks...

Leonardc

Hi,

force the device type in the devicetbl.xml file on the logdecoder prior to update to 10.5.0,1.

Beside nokiaipso or infobloxnios, the unknown messages for the logdecoder and the concentrator are now also dispatched as device.type = securityanalytics and rsa_security_analytics_monitored_devices. (BTM: never heard about them).

I have now 6 device type for the same ip address.

Kind regards

Gab.

Use with caution, forcing the device ip gives it the desired device type, however, forcing the device type does not mean the event will be parsed properly.  If the parser does not have an entry for the event, there will be no meta assigned to it.  It's still the same "unknown" event with a different name and no meta.

As David said, it still parses events like queries, ESA rule creation/Deletions, ESA rule sync, database, index activites, some user logon/off activity, subscription updates and a few others.

Most of the ESA alerts have been replaced by the health and wellnes policies.

In short it still provides some useful information.  I have not had the time to fully evaluate it on 10.5.

Hello,

Well this parser is helping me to so much to identify those event sources which are having some problem in logging, like SQL/datbases servers.

In the same way this parser is detecting those database machines which are not logging to SA, can we check the other types of collection method machines which are not logging or throwing some error messages?

Is it possible to understand with the help of this parser, so that I can create a report by understand which machines are not logging.

Pls advise.

Regards,

Deepanshu Sood.

Hello,

Looks like the parser doesn't work on 10.5.1, they changed the logging from

nw[<hinfo>]

to

nwBroker[<hinfo>]

nwLogDecoder[<hinfo>]

nwConcentrator[<hinfo>]

The logs turned to unknowns in an instant

UPDATE:

I am currently working on a 2.3.x version that will address the new header on 10.5.1 as well as add new events.  No ETA for it's release at the moment.  Just wanted to let you know that there is an update in the works.

Thanks....

I am doing some testing with 10.6.1.  Is there anything in particular you are wanting to parse in 10.6.1 logs?

THE MOST CURRENT VERSION IS 2.3.99, which works with 10.6.x.