NetWitness Community

Anonymous · ‎2013-11-13

When the PS people were on site they were not sure how to get FTP logs into SA. According to them it was not supported but I do not see how that would be possible, although it might be. Does anyone know how to get SFTP and FTP logs into SA?

I have a log collector running and a service for bluecoats.

Anonymous · ‎2013-11-13

SA rides on top of Centos; so, fairly easy to get the file over into the log collector via scp or sftp. If the BC files are compressed, make sure you uncompress them before dropping the files into the appropriate file reader directory location.

For BC, you are going to need the bluecoat_elff_tvm parser that only appears to work with the filereader method.

Please refer to the following documentation:

http://docs.netwitness.com/1-RSA_Security_Analytics_User_Guide/50_Administration_Module/1_The_Devices_View/3_Device_Config_View/Log_Collectors/2_Log_Collector_Event_Sources_Tab/01_File_Event_Source

Remember that the File Directory will reside on the Log Decoder appliance. To confirm just SSH into the appliance and cd into /var/netwitness/logcollector/upload and find the file read parser, in this case, it will be blue_coat_elff_tvm.

The subdirectory will be created off that branch of the directory tree.

Hope this information helps.

Cheers

View solution in original post

Anonymous · ‎2013-11-13

SA rides on top of Centos; so, fairly easy to get the file over into the log collector via scp or sftp. If the BC files are compressed, make sure you uncompress them before dropping the files into the appropriate file reader directory location.

For BC, you are going to need the bluecoat_elff_tvm parser that only appears to work with the filereader method.

Please refer to the following documentation:

http://docs.netwitness.com/1-RSA_Security_Analytics_User_Guide/50_Administration_Module/1_The_Devices_View/3_Device_Config_View/Log_Collectors/2_Log_Collector_Event_Sources_Tab/01_File_Event_Source

Remember that the File Directory will reside on the Log Decoder appliance. To confirm just SSH into the appliance and cd into /var/netwitness/logcollector/upload and find the file read parser, in this case, it will be blue_coat_elff_tvm.

The subdirectory will be created off that branch of the directory tree.

Hope this information helps.

Cheers

Anonymous · ‎2013-11-14

it's not supported yet, they told me there are parsing issues and they working on it, hopefully soon I'm still waiting on that.

RSAAdmin · ‎2014-01-07

Hi,

Bluecoat_elff_tvm is running fine... just had to do some corrections in the log format supplied in the RSA doc.

AND.... .gz files are supported

Sébastien

Forgot to say we are using 10.3.1

Anonymous · ‎2014-01-22

I confirm that we are using the same via FTP.

Anonymous · ‎2014-01-22

So just to make sure, I am going to be telling bluecoat to ship to /var/netwitness/logcollector/upload/bluecoatelff_tvm/{name}, then the filereader will take the .gz and process them?

Anonymous · ‎2014-01-22

Hi Sean,

Just make sure that the file is not compressed. For some reason, I had issues with getting the compressed files parsed successfully.

Regards,

JohnyBricks

huanzhou1 · ‎2014-03-17

which account you guys using to upload the logs?

Anonymous · ‎2014-03-17

I am currently waiting on RSA support to get back to me with the RPMs for 10.3.2. They are suppose to be allowing better integration in this but the RPMs are not available yet. I believe I am waiting on RSSH but they don't have a supported version even though they state you can in the install docs.

huanzhou1 · ‎2014-03-17

you mean log collector 10.3.2? which you can download from SCOL. I had some issue while trying to using upload/sftp account, so i'm using root as for now.

NetWitness Community

Bluecoat and FTP logs