NetWitness Community

AlexanderFetiso · ‎2016-03-10

Good day!

We have RSA SA Hybrid for logs with 10.5 software installed

and we want to collect logs from several sources not supported directly by RSA (not listed in https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/03_Supported_Event_Sources )

source - ODBC Database

Is it able to create such event source?

As I see in Partner created event sources it should be several xml files and file .envision

if xml-files format is almost clear for me, but .envision-file is binary

So is there any tool which can helps to create nesassary files?

I found a little information about Event Source Integrator (ESI)...is it helps?

Thanks for any opinions!

DaveGlover · ‎2016-03-10

Yes SA can be configured to collect from non supported devices very easily.

In order to configure an ODBC collection method you would need to build an odbc file spec, which includes the select statement.

The you would collect the logs in SA, export them. Then build the parser.

View solution in original post

DaveGlover · ‎2016-03-10

Yes SA can be configured to collect from non supported devices very easily.

In order to configure an ODBC collection method you would need to build an odbc file spec, which includes the select statement.

The you would collect the logs in SA, export them. Then build the parser.

AlexanderFetiso · ‎2016-03-11

Thanks, Dave.

Can You explain me step-by-step with describing of tools or files used?

Where can I find odbc file spec example?

How can I build the parser? is it txt-file like xml? or should I use some tool?

AlexeyFedorov · ‎2016-03-11

Look into folder /etc/netwitness/ng/logcollection/content/collection/odbc on your Log Collector/Decoder appliance. You can see a lot of different XML for all support ODBC event sources in your SA. You should create the same XML for your unsupported event source to receive event into SA and then you should create parser (ESI) for those events.

DaveGlover · ‎2016-03-11

Alex

if you send me a mail at dave.glover at rsa I can help you out

Dave

AlexanderFetiso · ‎2016-03-25

Alexey, thanks for answer.

I've created xml and setup event source in Log Collector

What I should to do next?

Should I use RSA EnVision ESI tool ? But this tool is not accept my XML-file. Should I create a new one?

Please explain me how to use this tool (if I should use it)

AlexanderFetiso · ‎2016-03-25

Dave,

I sent e-mail to you two weeks ago

Have you recieved it?

AlexeyFedorov · ‎2016-03-25

Alexander, are you have beed recived logs from event source to RSA SA? Do you see those logs as device.type = 'unknown'? If yes - you should use RSA ESI to parse those events else you should find issue why you don't reveice logs to RSA SA from event source on Logs tab of Log Collector. Do you know how work with ESI? Do you have ESI documentation?

AlexanderFetiso · ‎2016-03-25

Alexey,

what is ESI? I heard about Envision ESI only

AlexeyFedorov · ‎2016-03-25

It is the same. At this time you should use RSA enVision ESI to parse events.

NetWitness Community

Collect logs from non-supported sources