This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Collect logs from non-supported sources

Go to solution
AlexanderFetiso
Beginner
Beginner

‎2016-03-10 08:51 AM

Good day!

We have RSA SA Hybrid for logs with 10.5 software installed

and we want to collect logs from several sources not supported directly by RSA (not listed in https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/03_Supported_Event_Sources )

source - ODBC Database

Is it able to create such event source?

As I see in Partner created event sources it should be several xml files and file .envision

if xml-files format is almost clear for me, but .envision-file is binary

So is there any tool which can helps to create nesassary files?

I found a little information about Event Source Integrator (ESI)...is it helps?

Thanks for any opinions!

18 REPLIES 18

Go to solution
AlexanderFetiso
Beginner
Beginner
In response to AlexeyFedorov

‎2016-03-25 06:30 AM

I've tried to use this tool

there are two options - create a new xml or load existing

first of all I've tried to load existing XML file (which i created for Log Collector) but ESI returned syntax error (didn't understand it)

then I tried to create the new XML (using log-file), but as I understood I must use LOG-file in envision format

Am I right?

 

Concerning recieved logs - Yes, these are recieved

0 Likes

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to AlexanderFetiso

‎2016-03-25 06:53 AM

You should create new XML file becouse you don't have any versions of your parser yet. XML what you create before was template for collecting events. Now you should create the XML file for parsing events. You should export your events from SA to a file (xxx.LOG) and then upload this file to ESI. After you shoold choose an event, create header and define payload metakeys. Create parser and extract a folder from archive and put on to /etc/netwitness/ng/envision/etc/devices folder on the Log Decoder. I try found guide how to connect a manual created parser, but can't find it. I will looking for more carefully and upload it here if found.

0 Likes

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to AlexanderFetiso

‎2016-03-25 07:17 AM

No. I have been attached guide.

Preview file
327 KB
0 Likes

Go to solution
AlexanderFetiso
Beginner
Beginner
In response to AlexeyFedorov

‎2016-03-25 08:07 AM

Alexey,

Great! This guide is exactly what I was looking for. I'll try to create and deploy parser.

Thanks a lot!

0 Likes

Go to solution
AlexanderFetiso
Beginner
Beginner
In response to AlexeyFedorov

‎2016-04-01 06:31 AM

Alexey,

I've created parser, uploaded it to envision directory, restarted log decoder service (as explained in your guide), so in Service parser configuration my parser is checked. But all logs from this event source are still showed as "unknown".

I've tried a lot of variants for parser xml-file but nothing changed

I don't know what I do wrong. Can you check my parser file?

I can't find how to attach file (see picture and video only), so I post here current parser xml-file. I added test log string for comparing inside

--

<?xml version="1.0" encoding="ISO-8859-1" ?>

 

 

  <!--

#Author Name:Administrator

#Event source name:devicelock

#Event source XML file version:1.0

#Log collection method:ODBC

#Date&Time:Fri Mar 25 11:41:24 MSK 2016-->

<DEVICEMESSAGES>

 

 

  <VERSION

  xml="1"

  checksum=""

  revision="0"

  enVision=""

  device="2.0"/>

 

 

<!--ESI.DeviceClass = DLP-->

<!--

If the message tag does not contain a definition of a property,

the default value will be used.

The default values are:

  category="0"

  level="1"

  parse="0

  parsedefvalue="0"

  tableid="1"

  id1=""

  id2=""

  content=""

  reportcategory="0"

  sitetrack="0"

 

 

The following are the entity reference for all the predefined entities:

&lt; <(opening angle bracket)

&gt; >(closing angle bracket)

&amp; &(ampersand)

&quot; "(double quotation mark)

 

 

-->

  <HEADER

  id1="0001"

  id2="0001"

  content="%devicelock: &lt;messageid&gt;^^&lt;hrecorded_time&gt;^^&lt;hseverity&gt;^^&lt;hfld1&gt;^^&lt;!payload&gt;"/>

<!--Log example:%devicelock: 734770^^2016-04-01 05:52:42^^1^^27^^Test message.-->

  <MESSAGE

  level="6"

  parse="1"

  parsedefvalue="1"

  tableid="73"

  id1="700758"

  id2="700758"

  eventcategory="1400000000"

  content="&lt;msg&gt;"/>

 

 

</DEVICEMESSAGES>

---

0 Likes

Go to solution
AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to AlexanderFetiso

‎2016-04-01 06:45 AM

Hello Alexander,

 

Your parser is not correct. I can help you privately, please email me at a.fedorov (dog) ntc-vulkan (dot) ru and send me few log sample from SA and your XML. You can use Russian language via email.

0 Likes

Go to solution
SaketBajoria
Beginner
Beginner
In response to AlexanderFetiso

‎2016-04-01 12:13 PM

Hi Alex,

 

Create Custom Content Typespec for ODBC Collection - RSA Security Analytics Documentation

 

You can use this guide to create a custom typespec file.

 

Thanks,

Saket

0 Likes

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-04-08 05:18 AM

Alex I never did

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.