This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Inventory Of Machines

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-08-06 02:19 PM

Hello,

 

Does anyone know of a way RSA SA would be able to create a list of hostnames or IP's of machines that are sending logs?

 

I have made a change to 100 Unix machines and want to be sure all 100 machines are sending logs to SA. So, instead of searching each one in SA 1 by 1. Is there a way I can have a list generated, which would display all of the IP's or host names in a single report?

 

I just want to verify that all unix machines are logging to SA. But, I also don't want to query each machine manually 1 by 1.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
4 REPLIES 4

Go to solution
Anonymous
Not applicable

‎2015-08-07 09:01 AM

Check the Event Source Monitoring View - RSA Security Analytics Documentation

 

Also available with the REST API : https://<log-decoder>:50102/decoder?msg=logStats

0 Likes

Go to solution
RobertSadler
Beginner
Beginner

‎2015-08-10 02:08 PM

I'd create a report, summarize by Event Count and select only device.ip then group by device.ip.  You can narrow down your search by adding to the where clause.

 

This report should give you all the devices that are reporting to SA and tell how many logs per device IP.  If the device isn't logging to SA then the IP will not display on this report.  I actually have this run as a report each morning.  I'll explain.

 

In our setup we have 6 VLC's that report to the LC exclusively.  So my morning report shows how many logs are being sent to the LC (All the VLC's combined) as well as how many logs each VLC collects.  From there, I have a list of the VLC's and all the IP's ordered by log count.  For example...

 

Total logs: 30,000,000

 

Device Name : Log Count

VLC 1: 5,000,000

VLC 2: 5,000,000

VLC 3: 5,000,000

VLC 4: 5,000,000

VLC 5: 5,000,000

VLC 6: 5,000,000

 

VLC1 -

IP address 1 : 1,000,000

IP address 2 : 1,000,000

IP address 3 : 1,000,000

 

VLC2 -

IP address 1 : 1,000,000

IP address 2 : 1,000,000

IP address 3 : 1,000,000


You probably get the point.  I find this to be a pretty useful report.

Hope this helps.

-Rob

Go to solution
Anonymous
Not applicable
In response to RobertSadler

‎2015-08-17 07:47 AM

The LogStats tab (Admin->Devices->Log Decoder, Stats View) is anther useful place to check.

 

Andy

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-08-17 03:13 PM

Thank you very much everyone for your help.

 

I really appreciate it a lot.

 

What worked for me the best was what Yohann posted above.
The document posted actually let's you pick the event source. And, then allows you to export it as a CSV file.

 

 

So, this is going to really help when it comes down to auditing to see which machines are sending logs to SA.

 

Thanks again for all the help!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.