This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Mapping between log messages and Meta data

RayBlair
Beginner
Beginner

‎2020-07-10 01:38 PM

Where is the mapping defined between NetWitness and syslog messages?  For example if I want to see a failed ssh login on a RedHat system I could look for the following in /var/log/messages:

#     type=USER_AUTH

#     $msg contains the following; ‘op=PAM’  exe=”/usr/sbin/sshd”  res=failed

#     acct=username can identify who performed the ssh (root)

 

What information is used from the syslog to populate alert.id, event.desc etc?

Also is there a list of all possible values of alert.id?.

0 Likes
1 REPLY 1

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2020-07-10 01:55 PM

Ray

 

The are parsers involved which normalize the data

These parsers are located in /etc/netwitness/ng/envision/etc/devices

 

For example with a Redhat failed login -> Jul 10 17:44:18 NW-HU unix_chkpwd[22684]: password check failed for user (root)

 

Using the RedHat parser line matching the log message -> 

 

functions="<@hostname:*HDR(hhost)><@ec_theme:Authentication><@ec_subject:User><@ec_outcome:Failure><@:*SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)><@event_description:could not identify user from getpwnam>"

content="<agent>[<process_id>]: could not identify user (from getpwnam(<username>)"

 

From here we can see how the data is being parsed from raw into meta in addition to the enrichments that are added.

 

In addition to the log parser there are Application Rules that will add info to meta about the log message.

 

Dave

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.