This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is possible to remove device.ip?

MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2018-03-12 09:00 AM

I have a customer that wanted to add a custom device. We done that by creating a a conector that connects to every server of the customer, retrieve the data and then sends that events via syslog to Netwitness. We put into every syslog event the ip of the device and in the parser we also parse that IP as device.ip. When we see the parsed events we got two device.ip.... one for the server and in the other we got the IP where the software runs (because is the source of the syslog message)... Is there any way to avoid netwitness to add the device.ip from certain IP sources?

 

Regards,

Max

0 Likes
4 REPLIES 4

EricPartington
Employee
Employee

‎2018-03-12 09:11 AM

can you format the syslog with a header to indicate there was a relay involved (the scripting server)?

 

https://community.rsa.com/thread/193699

 

that way the scripting server ends up in forwarded.ip and the end host in device.ip?

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to EricPartington

‎2018-03-12 09:44 AM

Thanks Eric! I will give it a try.

0 Likes

Anonymous
Not applicable

‎2018-03-13 05:50 AM

The forwarded.ip is the way to go.  If you can't do this, you could change your custom parsing to use, e.g., event.computer or a customer client.device.ip for the second IP address.

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to EricPartington

‎2018-03-27 01:27 PM

Hi Eric, could you please post an example syslog message? 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.