2019-12-13 05:19 PM
Hi All,
We have recently moved to v11.3.1.1 on Netwitness and I am trying ot use the default Event Source monitoring to send syslog to one of our decoders when a device is inactive for a certain period of time. The default syslog template that is included for v11.3 is as below:
<@compress single_line=true>CEF:0|RSA|NetWitness Platform Event Source Monitoring|${version}|
<#if highAlarmsCount > 0> HighThresholdAlert|ThresholdExceeded|1|cat=${group}|Devices|
<#list 0..highAlarmEventSources?size - 1 as es> <#assign highAlarms = highAlarmEventSources[es]?split("^")>src=${highAlarms[0]}
<#if highAlarms?size > 1><#list 1..highAlarms?size - 1 as i> cs${i}=${highAlarms}</#list></#if>|
</#list></#if> <#if lowAlarmsCount > 0>LowThresholdAlert|ThresholdViolated|1|cat=${group}|Devices|
<#list 0..lowAlarmEventSources?size - 1 as es> <#assign lowAlarms = lowAlarmEventSources[es]?split("^")>src=${lowAlarms[0]}
<#if lowAlarms?size > 1><#list 1..lowAlarms?size - 1 as i> cs${i}=${lowAlarms}</#list></#if>|
</#list></#if></@compress>
This syslog does not parse with the latest CEF parser. It is very dishearting to see Netwitness not able to parse its own Syslog from the default template.Is there a particular parser already available for this?
I would also like to know if there is information on other keys that could be included in this template to have in more information.
Thanks in advance for the help.
2019-12-16 05:42 PM
Hi Shishir,
The CEF parser is the correct parser to handle these logs, and that template should be creating events that the CEF parser can read.
Can you post some of the logs that you are getting from this template?
Also, please ensure that you have the CEF parser enabled on your log decoder services:
2019-12-17 03:01 AM
Hi Josh,
Thanks for the reply. Yes I have the CEF parser deployed and enabled like I mentioned before. Still all the information is not being parsed out.
Leaving the parsing aside ( I could write a custom CEF parser if needed), there is another problem which I would like help on. The ESM default syslog template groups together source IPs if they belong to the same group/same device in a single syslog message.
I would like to have a single syslog message for each alarm because I need to use this event to trigger a health based UCS.
For example below:
Dec 17 06:20:00 localhost SecurityAnalytics: CEF:0|RSA|NetWitness Platform Event Source Monitoring|11.3.1.1| LowThresholdAlert|ThresholdViolated|1|cat=Test|Devices| src=10.x.x.x cs1=bigip cs2=Manual| src=10.x.x.x cs1=junosrouter cs2=Manual| src=10.x.x.x cs1=rhlinux cs2=Manual|
As you can see here, these are alarms for three different source types from the same IP belonging to the same group. Could you please help me with this?
2019-12-20 01:17 PM
I'm not aware of any way, at the moment, to split those up into different messages.
Let me ask you this, though - if all the IPs in that log are the same and all belong to the same device, why can the event not be used to trigger a health check on the device?
2020-01-07 05:01 AM
Hi Josh,
Happy New Year and thanks for your response! Please find my reply inline:
If all the IPs in that log are the same and all belong to the same device, why can the event not be used to trigger a health check on the device? - If this is the only situation, I agree there would not be a problem, however the metakey ip_src (string) will still be populated more than once for the same event which I wanted to avoid.
Another situation I face is that, if I create a monitoring group say consisting of all Checkpoint device and more than one checkpoint is down at a time, the template again groups all the members of the same group in a single syslog message as below:
Jan 1 09:32:00 localhost SecurityAnalytics: CEF:0|RSA|NetWitness Platform Event Source Monitoring|11.3.1.1| LowThresholdAlert|ThresholdViolated|1|cat=MON Checkpoint FW - Sample|Devices| src=x.x.x.x cs1=checkpointfw1 cs2=Manual| src=y.y.y.y cs1=checkpointfw1 cs2=Manual| src=z.z.z.z cs1=checkpointfw1 cs2=Manual| src=n.n.n.n cs1=checkpointfw1 cs2=Manual| src=m.m.m.m cs1=checkpointfw1 cs2=Manual|
As you can see here we have different unique values for source in the same log. In my correlation rule, I want to alert for one source belonging to one device type based on this syslog message and I presume this is going to be an issue, unless we can have a single syslog message per source per device type or if we could split the entries into various metakeys.
Please correct me if I am wrong and help me with a solution. I am looking to implement a healting monitoring alerting and response solution with this inbuilt ESM monitoring.
Thanks in advance