This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Device is detected as fake device type

Go to solution
Anonymous
Not applicable

‎2014-09-02 02:10 AM

Hi All,

 

i have a big issue regarding device integration.

I have integrate few device to SA and we got that some of them are detected as two or more than two different device type (like BigIP, NortalVPN etc.). even AD window is also going to detect as different different device type.

For this i try to disable that fake device type parser and got that now that logs are going as unknown.

Can anyone tell me how to resolve this issue or how to get a specific device type in SA ?


As i have heard that in SA 10.3.4 we can bind a device ip to particular device type?

Is that possible or if yes can you please share the steps?


thanks in advance..

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2014-09-02 05:52 AM

Hi rajveer,

yes from version 10.3.4 it's possible.

 

Just follow steps from RSA KB -

 

 

Support ID: a67284 - How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher)

 

 

This is done via the “Explore” view on the Log Decoder. Below are the steps to set this up.

 

 

1. Select “Explore” view for Log Decoder

 

2. Navigate to Decoder à Parsers

 

3. Right-click “Parsers” and select “Properties”

 

4. From the drop-down select “ipdevice”

 

====

This command takes the following parameters

 

Map Ip to Device type in log parsing. Take effect after parser reload

security.roles: parsers.manage

parameters:

op - <string, {enum-one:edit|describe}> The operation to performed(edit|describe).edit is editing the entries. describe is returning all exist ip2device entries.

entries - <string, optional> The Ip entries. StringParam in format of '+/-ip=device'. + means adding or editing a map entry, - means delete a map entry

reload - <bool, optional> Flag to reload parser after this command

====

 

5. In the parameters field enter

op=edit entries=+192.168.183.123=aix reload=true

 

6. Then type the following to confirm the entry

op=describe

 

7. Now that device will be forced to use the “aix” parser

Parser names can be found by going to LogDecoder ->Config and the Device Parsers Configuration

 

All of this device to parser mapping is held in the following configuration file:

/etc/netwitness/ng/envision/etc/devicetbl.xml

 

<IpAddressMap>

        <DeviceEntries>

                <DeviceEntry device="aix" ipv4="192.168.183.123"/>

        </DeviceEntries>

</IpAddressMap>

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
Anonymous
Not applicable

‎2014-09-02 05:52 AM

Hi rajveer,

yes from version 10.3.4 it's possible.

 

Just follow steps from RSA KB -

 

 

Support ID: a67284 - How to direct the RSA Security Analytics Log Decoder to use a specific device parser when collecting logs from a given event source (10.3.4 and higher)

 

 

This is done via the “Explore” view on the Log Decoder. Below are the steps to set this up.

 

 

1. Select “Explore” view for Log Decoder

 

2. Navigate to Decoder à Parsers

 

3. Right-click “Parsers” and select “Properties”

 

4. From the drop-down select “ipdevice”

 

====

This command takes the following parameters

 

Map Ip to Device type in log parsing. Take effect after parser reload

security.roles: parsers.manage

parameters:

op - <string, {enum-one:edit|describe}> The operation to performed(edit|describe).edit is editing the entries. describe is returning all exist ip2device entries.

entries - <string, optional> The Ip entries. StringParam in format of '+/-ip=device'. + means adding or editing a map entry, - means delete a map entry

reload - <bool, optional> Flag to reload parser after this command

====

 

5. In the parameters field enter

op=edit entries=+192.168.183.123=aix reload=true

 

6. Then type the following to confirm the entry

op=describe

 

7. Now that device will be forced to use the “aix” parser

Parser names can be found by going to LogDecoder ->Config and the Device Parsers Configuration

 

All of this device to parser mapping is held in the following configuration file:

/etc/netwitness/ng/envision/etc/devicetbl.xml

 

<IpAddressMap>

        <DeviceEntries>

                <DeviceEntry device="aix" ipv4="192.168.183.123"/>

        </DeviceEntries>

</IpAddressMap>

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-09-02 06:13 AM

Hi DavidB12,

 

Thanks for the answer, i got its working.

But i have one more query regarding this, what if we have one multidevice. i means i have window server and i have installed IIS server on the same server, now i want to collect logs from window system as well as IIS server. so for this we will use  winRM for window or  file reader for IIS.

 

so how we can set this here, can you please guide me?

 

thanks in advance..

Capture.JPG.jpg

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-09-02 06:43 AM

When you'll have more device types on same log source, then you can just add more devices separated by comma.

 

op=edit entries="+192.168.183.123=winevent_nic,microsoftiis," reload=true

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-09-03 12:30 AM

Hi DavidB12,

 

Thanks alot, its working

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.