This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Linux syslog and msg.id

RSAAdmin
Beginner
Beginner

‎2014-10-30 02:00 PM

Where does Security Analytics get the msg.id from a Linux syslog.

 

Here is an example:

sessionid    =    758292139
time    =    2014-10-30T13:38:01.0
size    =    130
device.ip    =   

medium    =    32
device.type    =   

device.class    =   

header.id    =    "0016"
client    =   

user.dst    =   

username.grp.alt    =   

username.grp.alt    =   

action    =   

alias.host    =   

level    =    6
msg.id    =   

event.cat.name    =   

 

Is msg.id "00091" coming from the syslog event? 

 

 

Here is the raw log:

Oct 30 17:38:01 log-vlc1 CROND[10436]: (root) CMD (/etc/netwitness/ng/logcollector/lctwin)

 

Is there a chart or reference of these message IDs?

0 Likes
4 REPLIES 4

RSAAdmin
Beginner
Beginner

‎2014-10-30 02:29 PM

In this case msg.id is not coming from raw log. It is defined in content definition

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-10-30 02:32 PM

Where may I look to explore the content definition of these types of events?

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-10-30 02:51 PM

You need to access actual file : <log decoder>/etc/netwitness/ng/envision/etc/devices/rhlinux/v20_rhlinuxmsg.xml

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-10-30 03:16 PM

Thanks!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.