This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Integration with ArcSight Connector

DariaMuravyova
Beginner
Beginner

‎2016-11-10 06:48 AM

Hello!

 

I'm helping customer now to migrate from rsa enVision to RSA SA. He wants to do minimum work during this prosess and to save all previos configuration. On RSA enVision we are getting logs from ArcSight Connector through syslog in CEF format and all works good. But for RSA SA this is "Unidentified content". How can we managed it?

ArcSight Smart Connector can't send logs in proper (for RSA SA) format.

Also we are trying to send these logs to Virtual Remote Collector, if it matters.

0 Likes
4 REPLIES 4

EricPartington
Employee
Employee

‎2016-11-10 11:17 AM

What version of NetWitness are you using ?

Is the Common Event Format (CEF) parser enabled and installed on the log decoders ?

can you provide a sample format of the logs that are being sent from the arcsight connector ?

0 Likes

DariaMuravyova
Beginner
Beginner
In response to EricPartington

‎2016-11-11 05:34 AM

Hello, Eric!

I have 10.6 RSA SA. CEF enabled and installed, but I have error on the stage of getting syslog, like in this case:

000016890 - CyberArk Syslog messages display as 'unidentified content' in RSA Security Analytics 

I have standart format of CEF, like:  

CEF:0|Mirosoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4768|A Kerberos authentication ticket (TGT) was requested |Low| eventId=17271719 externalId=4768 msg=Certificate information is only provided if a certificate was used for pre-authentication types, ticket options, encription types and result codes are defined in RFC 4120  categorySignificance=/Informational/Warning categoryBehavior=/Authentication/Verify categoryDeviceGroup=/Operating System and so on.

I understand that hte problem is that there is not RFC format. But enVision works with it correctly, maybe there is the way to make RSA SA to work with it as well.

0 Likes

EricPartington
Employee
Employee
In response to DariaMuravyova

‎2016-11-11 08:07 AM

Have you implemented the two files at the bottom of that post to set eh proper RFC ?

 

The CEF parser in SA requires a specific format of header and hostname for the messages to parse. It looks like the additional two files will be able to set those parameters on the collector so that the messages are properly formatted for RSA NW/SA.

 

If that doesn’t work, please open a support case and RSA support will assist you with this.

 

Eric

0 Likes

DariaMuravyova
Beginner
Beginner
In response to EricPartington

‎2016-11-11 11:21 AM

Eric, as I can see, author of this post suggest to change CyberArc config, not RSA Collector. And I have no such variables on my ArcSight Collector. I will open a support case.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.