Full log payload in Alert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-14 03:25 PM
Hello,
I've been digging for a while and I'm unable to locate a way to display the full log in an email alert.
Is this even possible?
Thanks,
-Rob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-14 05:33 PM
For ESA Alert?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-14 05:35 PM
No ESA. Just standard alerting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-14 07:02 PM
Doesn't look like a simple way.
But what is the intention of mailing the alert with the log? Are you sending to another SIEM, ticket system?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-14 07:24 PM
We're interested in some of the non-parsed data in many of the windows, SQL and Symantec logs. We could look into custom parsers but it would be easy enough to just grab the data out of the full log. Some of the teams we need to send alerts to don't have access to Netwitness so sending the data in alerts would be preferable. At some point we'll probably end up sending this data to Remedy Force for ticketing but that's still a ways away.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-14 08:17 PM
Maybe you can use REST to pull logs on a regular basis? or NWSDK? Since you're not interested in the meta.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-17 09:59 AM
It's not that I'm not interested in the meta, was just looking to see if it was easy to grab the entire log into an alert. If that's not possible, I'd guess that the meta is the next best / easiest thing to do. Honestly, I'm a bit surprised there's no way to get the raw log or reconstructed log as it is shown in Netwitness.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-17 10:58 AM
Hi Robert,
There is an simple way, you can get entire logs into an alert by using Meta key called "raw". Just populate that Meta in your alert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-17 11:16 AM
This is exactly what I was looking for! Thank you so much Ravi!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2016-10-17 11:39 AM
Ravi, I was able to successfully send an alert using ${meta.raw}.
Thanks again!
-Rob