NetWitness Community

RobertSadler · ‎2016-10-14

Hello,

I've been digging for a while and I'm unable to locate a way to display the full log in an email alert.

Is this even possible?

Thanks,

-Rob

SalSanshez · ‎2016-10-14

For ESA Alert?

RobertSadler · ‎2016-10-14

No ESA. Just standard alerting.

SalSanshez · ‎2016-10-14

Doesn't look like a simple way.

But what is the intention of mailing the alert with the log? Are you sending to another SIEM, ticket system?

RobertSadler · ‎2016-10-14

We're interested in some of the non-parsed data in many of the windows, SQL and Symantec logs. We could look into custom parsers but it would be easy enough to just grab the data out of the full log. Some of the teams we need to send alerts to don't have access to Netwitness so sending the data in alerts would be preferable. At some point we'll probably end up sending this data to Remedy Force for ticketing but that's still a ways away.

SalSanshez · ‎2016-10-14

Maybe you can use REST to pull logs on a regular basis? or NWSDK? Since you're not interested in the meta.

RobertSadler · ‎2016-10-17

It's not that I'm not interested in the meta, was just looking to see if it was easy to grab the entire log into an alert. If that's not possible, I'd guess that the meta is the next best / easiest thing to do. Honestly, I'm a bit surprised there's no way to get the raw log or reconstructed log as it is shown in Netwitness.

RaviKrishnanand · ‎2016-10-17

Hi Robert,

There is an simple way, you can get entire logs into an alert by using Meta key called "raw". Just populate that Meta in your alert.

RobertSadler · ‎2016-10-17

This is exactly what I was looking for! Thank you so much Ravi!

RobertSadler · ‎2016-10-17

Ravi, I was able to successfully send an alert using ${meta.raw}.

Thanks again!
-Rob

NetWitness Community

Full log payload in Alert