NetWitness Community

DamiAndu · ‎2017-12-06

Good day,

Please confirm that RSA SA supports these devices as an event source:

1. Cisco Nexus Data Broker (CNDB) 3.3; I do see somewhere on the supported devices that it supports Cisco Nexus but that is different from Cisco Nexus Data Broker

2. Cisco Data Center Network Manager (DCNM)

Thank you.

EricPartington · ‎2017-12-11

what is the logging format of these devices?

Syslog or CEF format ?

If CEF, common meta will be extracted and custom meta can be added with the cef-custom.xml function in NW11.0/10.6.4.X

If syslog there may be some extraction with the existing CISCO parsers depending on format.

Custom Parsers can be written if needed with the release of the 1.0 Event Source Log Parser

https://community.rsa.com/docs/DOC-85017

Provide sample log files to validate (sanitize internal IP or hostnames if required)

DamiAndu · ‎2018-02-15

Hi Eric,

It is in syslog format. See sample CNDB audit logs. (sanitized)

2017-10-06 17:28:24.773 EDT Mode: REST user Boss Get UDF filter type excludeDefault
2017-10-24 16:12:17.210 EDT Mode: UI user Boss added Device 3.3.3.3
2017-10-24 16:13:14.323 EDT Mode: UI user Boss added Device 4.4.4.4
2017-10-24 16:13:54.535 EDT Mode: UI user Boss added Device 5.5.5.5
2017-10-24 16:14:26.539 EDT Mode: UI user Boss added Device 6.6.6.6
2017-10-24 16:17:52.448 EDT Mode: REST user Boss Get UDF filter type excludeDefault
2017-10-24 16:48:16.427 EDT Mode: UI user Boss configured Port E1 as Edge-SPAN
2017-10-24 16:53:45.712 EDT Mode: UI user Boss configured Port E1 as Edge-SPAN
2017-10-25 15:32:24.456 EDT Mode: UI user Boss added Role Application-User as App-User
2017-10-25 15:32:40.986 EDT Mode: UI user Boss assigned Role Application-User to group allPorts
2017-10-25 15:38:24.760 EDT Mode: UI user Boss added Device ABDC01HAINF6-if3 on Port Ethernet2/1@ABDC01HASP1A
2017-10-26 14:44:07.230 EDT Mode: UI user Boss added User TR-network as [Application-User]
2017-10-27 09:39:18.641 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 09:40:17.082 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 09:40:57.558 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 09:41:36.228 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 09:57:54.179 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 10:01:47.845 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 10:13:47.094 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 10:29:17.751 EDT Mode: UI user Boss added Device device2-if3 on Port E2
2017-10-27 10:43:50.806 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 10:50:38.848 EDT Mode: UI user Boss added Device 2.2.2.2
2017-10-27 10:51:48.938 EDT Mode: UI user Boss added Device 2.2.2.2
2017-11-04 18:18:42.720 EDT Mode: UI user Boss added Rule devicexyz_to_devicexyz
2017-11-14 15:22:19.361 EST Mode: UI user Boss toggled User joe_to_devicexyz
2017-11-14 15:22:33.030 EST Mode: UI user Boss toggled User jane_to_devicexyz
2017-11-27 16:01:43.317 EST Mode: UI user Boss added User janedoe as [Test-User]
2017-11-27 16:03:59.588 EST Mode: UI user Boss removed User janedoe

EricPartington · ‎2018-02-15

doesn't appear that those are parsed with the parsers I have access to.

EricPartington · ‎2018-02-15

i stand partially corrected... after enabling all the cisco parsers that I have this is what see... you get basic header but none of the details of the message.

ciscorouter matches the same pattern as these logs.

which could be an easier way to start a custom parser with the msg.id included here and appropriate header value and extend the parser to pull the information you need from the events.