This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Event Source Monitroing Report

Go to solution
Anonymous
Not applicable

‎2015-01-16 11:38 AM

I'm looking to generate report for all reporting & non-reporting event sources from SA V10.4. Anyone knows how to do that?.

 

Thanks!!

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor
In response to Anonymous

‎2015-02-03 06:07 AM

Hi Ravick,

 

Maybe the below NwConsole command could help you out? You could pipe this to a file and then perform post-processing in excel. This below command will Show all devices and their source IP and count of logs, and last time log seen.

 

NwConsole -c login localhost:50002 <username> <password> -c decoder logStats |grep -e device | awk -F " " '{print $2","$4","$5","$6}' |sed 's/device=//;s/source=//;s/count=//;s/time="//'

 

The output looks like the below:

 

bigip,192.168.183.12,2250,2014-Dec-18

bigip,192.168.183.136,164,2014-Dec-18

bluecoatdirector,192.168.183.12,1,2014-Dec-16

bluecoatdirector,192.168.183.136,1,2014-Dec-17

checkpointfw1,::1,64,2014-Dec-18

ciscorouter,192.168.183.12,176,2014-Dec-18

crossbeamc,192.168.183.12,2323,2014-Dec-09

crossbeamc,192.168.183.136,2688,2014-Dec-18

fortinet,::1,414,2014-Dec-18

rhlinux,192.168.183.12,14333,2014-Dec-18

rhlinux,192.168.183.136,768,2014-Dec-18

rhlinux,source,309,1970-Jan-01

tippingpoint,192.168.183.12,176918,2014-Dec-18

tippingpoint,192.168.183.136,184,2014-Dec-18

unknown,192.168.183.12,99852,2014-Dec-18

unknown,192.168.183.131,205,2014-Nov-25

unknown,source,194415,1970-Jan-01

winevent_nic,192.168.183.131,262,2014-Nov-25

View solution in original post

0 Likes
26 REPLIES 26

Go to solution
AdamRasnick
Beginner
Beginner

‎2015-01-22 11:48 AM

I am not entirely sure that this is possible given that the reporting engine is not "aware of its surroundings".  Event sources are not, by default, reporting when they stop sending events, and SA does not know the difference between an event source that has stopped, and one that is just not as chatty (maybe hours between logs) as others.  Maybe a feature to be requested in future updates?  For now though, you can check Log Decoder -> Stats -> Log Stats (tab) and see when the last time a log was seen from each event source...

 

I have pondered this same question myself when asked for this from customers.  I may be wrong, but from my experience, I just dont think this is a feature yet.

0 Likes

Go to solution
Anonymous
Not applicable
In response to AdamRasnick

‎2015-01-22 01:31 PM

There is an ESA rule but it is slightly annoying because you also need the full list of IPs that you are expecting logs from which can get cumbersome to update. 

0 Likes

Go to solution
Anonymous
Not applicable
In response to AdamRasnick

‎2015-01-22 03:06 PM

First of all, Thanks Adam/Sean for your response!!

 

I would like to put my requirement on different way.

 

I believe we have 2 options to get Event Source reporting statistics:

 

  1. Log Decoder -> Stats -> Log Stats (tab)
  2. Administration àHealth & Wellness àEvent Source Monitoring (tab)

 

How can I download those statistics data as report & share with customer on PDF/CSV format?..

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2015-01-22 04:35 PM

You can generate a report based on the IPs (use lists) of the devices. from a certain period of time, if you have any event it will report it

 

you can even use lookup and add function for each device and look it further.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-01-28 05:01 AM

I have another issue with event source monitoring.

 

We were initially forwarding logs via z connector from enVision to SA. Now I have migrated majority of appliances to SA directly. However in "Event Source Monitoring" tab, the device IP appears twice with Log collector ip of enVision and decoder. So when i tried to configure alerts for devices not sending logs, alert is getting generated for entry with log collector IP as enVision.

 

Is it possible to configure event source monitoring alerts excluding old entries or can we filter the alerting based on log collector IP?

 

Also is it possible to remove old entries from Event Source Monitoring tab

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-01-28 12:22 PM

you can exclude the event sources that has forward.ip meta. Those event sources are sent via zconnector

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2015-01-28 02:48 PM

Thanks Linuts for the response!!

 

We are setting up SA newly & we don''t know the Event Source IP's so I can't input IP's via list.I'm completely depends on SA to know what is really reporting.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-01-28 07:00 PM

SA (i believe even in 10.4) didn't have this option..other option you can do is rest api query the deocders to know what last reported date and time. But again it will only show what is has seen vs what is configured to collect logs...assest database feature is missing in SA

 

If your environment have good CMDB, you can get the source of truth from there and compare with SA reporting data

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-01-29 09:21 AM

Thanks!!

 

We have more than 20000 devices reporting so I'm not sure how I can compare with my CMDB data without extracting reporting event sources from SA in CSV file.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.