This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Data Injection

Go to solution
Anonymous
Not applicable

‎2014-02-07 05:33 AM

Hi

 

just wondering if there was any possibility of injection Syslog-Data (for example for testing) like it was in enVision? I tried injecting some CheckpointFW data with different syslog utilities including enVision injector, but SA doesn't seem to be interested in the data.

 

Any other way to achieve this?

 

Regards

Rafael

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to huanzhou1

‎2014-02-07 07:12 AM

In my first screenshot you can see the NwLogPlayer is installed:

 

1.jpg

 

In my second screenshot I can invoke NwLogPlayer by using the NwLogPlayer command. The -h is for help:

 

2.jpg

 

In my final screenshot, I am using the -f switch to select a file to inject:

 

3.jpg

View solution in original post

11 REPLIES 11

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2014-02-07 06:13 AM

Hi Rafael,

 

You could can upload logs by navigating to:

 

Administration --> Devices --> Log Decoder --> View --> System

 

From here you can upload logs but it will require you to stop capture.

 

Instead, with the upgrade packages for Security Analytics there should be a NwLogPlayer RPM file. This allows you to inject log files back into the Log Decoder.

Go to solution
huanzhou1
Beginner
Beginner

‎2014-02-07 06:57 AM

How to inject the logs? Log collector can take syslog, can describe your configration?

 

Thanks.

0 Likes

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to huanzhou1

‎2014-02-07 07:12 AM

In my first screenshot you can see the NwLogPlayer is installed:

 

1.jpg

 

In my second screenshot I can invoke NwLogPlayer by using the NwLogPlayer command. The -h is for help:

 

2.jpg

 

In my final screenshot, I am using the -f switch to select a file to inject:

 

3.jpg

Go to solution
Anonymous
Not applicable
In response to LeeKirkpatrick

‎2014-02-07 08:08 AM

I have no idea why I didn't post here asking for advice on this one piece.  But I am so happy now that you posted this!  Works out perfect for what my Boss was looking for.  Thank you!!!!!

Go to solution
Anonymous
Not applicable
In response to LeeKirkpatrick

‎2014-02-07 08:36 AM

Hi LeeKirkPatrick


many thanks for the hint, I just did install the latest updates and nwlogplayer, works perfectly 🙂


Regards

Rafael

Go to solution
Anonymous
Not applicable
In response to LeeKirkpatrick

‎2014-02-24 04:01 AM

Thank you LeeKirkpatrick!

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2015-01-08 11:28 AM

Will the NwLogPlayer utility work to inject data into other SIEM besides SA/enVision?

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2015-01-08 01:05 PM

Aslong as it accepts syslog I would think it could send to other SIEMS.  According to the help you can tell it what IP to go to, and all it does is read line by line then send those lines. 

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2015-01-08 01:57 PM

Thanks -- I'm concerned that the data might get altered a bit with "envision-like headers" e.g. %APP-4:  etc.. and that might throw off parsers but I'll test it.  Good to know that it can at least get delivered out and not specific to targeting Security Analytics with this tool.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.