This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Flat text base search in SA?

Go to solution
Anonymous
Not applicable

‎2014-02-28 01:57 PM

When using envision I could go into the events and do a flat search across anything.  So I could select Linux and search for user1 and any message that had user1 would come back.  Is there anyway to do this in SA?  To this day I still have not found the way.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-02-28 03:07 PM

you're talking about event viewer aren't you - so a raw event search?

 

You are right - no such thing exists. A fundamental part of any SIEM solution but not currently available in SA as yet. Let's hope it's in 10.4.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-02-28 03:07 PM

you're talking about event viewer aren't you - so a raw event search?

 

You are right - no such thing exists. A fundamental part of any SIEM solution but not currently available in SA as yet. Let's hope it's in 10.4.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-03-03 08:13 AM

This kind of query is possible using Investigator 9.8, which works with any version of 9.x or 10.x.  You can drill in on your events and type in a text or regex search in the upper right search field of the breadcrumb bar.

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2014-03-03 08:22 AM

In SA 10.3.2, you still need a metakey to search off of. I have found a kinda work around but it is really bad to use I think in the long run for data retention by adding "msg" as an indexed field.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-03-28 02:40 PM

Sean,

 

How has this worked for you?  We are thinking to turn this on for our syslog event sources because our users need raw searching and in 10.3 you can then go into Events tab and search through raw logs of any device type using:  msg contains 'blah'.  Has this affected your retention much?  I'd suspect it would only decrease retention by 50% which we can afford but I'm more curious as to the system impact you've seen from the Concentrator getting busier to index a large field like a syslog message.

 

I'd love to hear about your experience.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.