This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How can I tell if a specific log events are making it into SA? As an example CyberArk

Go to solution
JohnTyson1
Beginner
Beginner

‎2016-03-14 12:15 PM

The customer team has prepped the Cyber Ark server and added the required xsl files according to the attached config guide.  I have ensured that the decoder is capturing and the  service parser is enabled.  I want to ensure that the logs are truly being ingested and an analyst could see the logs.  How can I definitively identify the forwarded CyberArk event sources are in SA?

 

Thank you for your assistance!

Preview file
163 KB
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
huanzhou1
Beginner
Beginner

‎2016-03-14 11:24 PM

do a query of the device ip see whether you can find any, or you can do tcpdump see whether the logs is sending over.

View solution in original post

4 REPLIES 4

Go to solution
huanzhou1
Beginner
Beginner

‎2016-03-14 11:24 PM

do a query of the device ip see whether you can find any, or you can do tcpdump see whether the logs is sending over.

Go to solution
EricPartington
Employee
Employee

‎2016-03-15 10:42 AM

depending on your SA version you can also use the health and wellness section of SA (Admin > Health and Wellness > Event source monitoring) to locate the IP and potential device type of the cyberark logs.

 

you can select the log decoder you are pointing at, the remote collector (VLC) if you are using one and the device.type if the messages are parsed properly.  Make sure you have the updated parser subscribed and deployed from RSA Live as well as make sure its enabled on the log decoder.

Go to solution
JohnTyson1
Beginner
Beginner

‎2016-03-15 03:36 PM

Thanks for the guidance guys, I have tried all of the steps provided and It seems like a network issue.  Wish I could mark both as correct, because they both provided insight into T/S the issue.  

0 Likes

Go to solution
JohnTyson1
Beginner
Beginner

‎2016-05-13 01:50 PM

If you have found your way here, then you may find this link helpful.  I know that I did, and it pertains to the underlying question that I had about adding event types.

https://community.rsa.com/message/870240

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.