This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Change the metadata on RSA

MosesFernandes
Beginner
Beginner

‎2017-07-19 11:25 AM

Hello,

 

There are Intrusion Prevention System (IPS) devices whose IP’s are categorized under ‘ips’(metadata) as device class(metakey) and ‘radwaredp’(metadata) as device type(metakey) on Data Center RSA console. But the same IP’s are categorized under ‘unix’ as device class and ‘hpux’ as device type on Data Recovery RSA console. Also the logs which we receive at Data Recovery RSA console are same as that at the Data Center RSA.

 

So at the Data Recovery RSA console, I need to change this 'unix' into 'ips' as device class and 'hpux' into 'radwaredp' as device type. Kindly help me.

Labels:
0 Likes
5 REPLIES 5

EricPartington
Employee
Employee

‎2017-07-19 12:22 PM

most likely what is happening is that some of the messages from your device are OS based logs which is why they are getting categorized as hpux or other device types.

 

you have a couple of options to try to resolve this going forward:

 

  1. do you have hpux devices that are logging to the RSA system ?  if not then you could disable the hpux log parser to prevent that parser from claiming those messages.
  2. You could also use the parser mappings tab on the log decoders to force the IP addresses of the IPS to be only parsed by the IPS radware parser.  This would prevent any mis-matching in the device types but keep in mind that the radware parser may not parse all the messages if they are generic OS logs from the underlying appliance OS.  so you may get all messages attached to Radware (IPS) but they may not have any values parsed from them.

 

Depends on what your environment looks like and what devices are logging to your log decoders. 

 

Eric

MosesFernandes
Beginner
Beginner
In response to EricPartington

‎2017-07-20 05:57 AM

Thanks for your reply Eric

Coming to the first point, Yes we have hpux devices logging to the RSA system. So we wont be able to disable the hpux log parser.

And the problem with our RSA is that we are still using RSA version 10.2, so I am not able to find parser mapping tab on log decoder. Please help me in resolving the issue on version 10.2

0 Likes

EricPartington
Employee
Employee
In response to MosesFernandes

‎2017-07-20 07:18 AM

10.2 is very very old. I would highly recommend that upgrade to 10.6.x should be considered for many reasons including security fixes, performance and feature enhancements.

 

Solving this with 10.2 is going to be problematic

 

Eric

0 Likes

MarcoDemonte
Occasional Contributor
Occasional Contributor

‎2017-07-26 04:34 AM

Was it possible to configure the "parser IP mapping" in the old way in the 10.2?

 

Log Decoder_.jpg

 

In the "explore view" of Log Decoder, choose "Decoder" -> "parsers", then select "Properties".

On the dropdown box, select "ipdevice".

It says: "Map IP to Device type in log parsing. Multiple device types mapped to the same ip/host are prioritzed in the order in which they are listed.  Takes effect immediately."

The syntax is:

op=edit entries=+(host_IP)=(parser_name)

 

It shouldn't be necessary but I always reload the parsers after this.

 

I hope it could help

Best regards

 

Marco

MosesFernandes
Beginner
Beginner
In response to MarcoDemonte

‎2017-07-26 05:40 AM

Marco, I really appreciate to your response. It was not possible to configure 'parser IP mapping' in the old way.

As you mentioned above that in the dropdown box select "IP device", I am not able to find such option in 10.2.

 

dec.JPG

Kindly help me in resolving this issue.        

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.