2018-03-12 09:00 AM
I have a customer that wanted to add a custom device. We done that by creating a a conector that connects to every server of the customer, retrieve the data and then sends that events via syslog to Netwitness. We put into every syslog event the ip of the device and in the parser we also parse that IP as device.ip. When we see the parsed events we got two device.ip.... one for the server and in the other we got the IP where the software runs (because is the source of the syslog message)... Is there any way to avoid netwitness to add the device.ip from certain IP sources?
Regards,
Max
2018-03-12 09:11 AM
can you format the syslog with a header to indicate there was a relay involved (the scripting server)?
https://community.rsa.com/thread/193699
that way the scripting server ends up in forwarded.ip and the end host in device.ip?
2018-03-12 09:44 AM
Thanks Eric! I will give it a try.
2018-03-13 05:50 AM
The forwarded.ip is the way to go. If you can't do this, you could change your custom parsing to use, e.g., event.computer or a customer client.device.ip for the second IP address.
2018-03-27 01:27 PM
Hi Eric, could you please post an example syslog message?