2014-02-07 05:33 AM
Hi
just wondering if there was any possibility of injection Syslog-Data (for example for testing) like it was in enVision? I tried injecting some CheckpointFW data with different syslog utilities including enVision injector, but SA doesn't seem to be interested in the data.
Any other way to achieve this?
Regards
Rafael
2014-02-07 07:12 AM
In my first screenshot you can see the NwLogPlayer is installed:
In my second screenshot I can invoke NwLogPlayer by using the NwLogPlayer command. The -h is for help:
In my final screenshot, I am using the -f switch to select a file to inject:
2014-02-07 06:13 AM
Hi Rafael,
You could can upload logs by navigating to:
Administration --> Devices --> Log Decoder --> View --> System
From here you can upload logs but it will require you to stop capture.
Instead, with the upgrade packages for Security Analytics there should be a NwLogPlayer RPM file. This allows you to inject log files back into the Log Decoder.
2014-02-07 06:57 AM
How to inject the logs? Log collector can take syslog, can describe your configration?
Thanks.
2014-02-07 07:12 AM
In my first screenshot you can see the NwLogPlayer is installed:
In my second screenshot I can invoke NwLogPlayer by using the NwLogPlayer command. The -h is for help:
In my final screenshot, I am using the -f switch to select a file to inject:
2014-02-07 08:08 AM
I have no idea why I didn't post here asking for advice on this one piece. But I am so happy now that you posted this! Works out perfect for what my Boss was looking for. Thank you!!!!!
2014-02-07 08:36 AM
Hi LeeKirkPatrick
many thanks for the hint, I just did install the latest updates and nwlogplayer, works perfectly 🙂
Regards
Rafael
2014-02-24 04:01 AM
Thank you LeeKirkpatrick!
2015-01-08 11:28 AM
Will the NwLogPlayer utility work to inject data into other SIEM besides SA/enVision?
2015-01-08 01:05 PM
Aslong as it accepts syslog I would think it could send to other SIEMS. According to the help you can tell it what IP to go to, and all it does is read line by line then send those lines.
2015-01-08 01:57 PM
Thanks -- I'm concerned that the data might get altered a bit with "envision-like headers" e.g. %APP-4: etc.. and that might throw off parsers but I'll test it. Good to know that it can at least get delivered out and not specific to targeting Security Analytics with this tool.