This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ODBC and device.ip

Anonymous
Not applicable

‎2017-03-05 06:31 AM

Dears,

 

I discovered a bug in parsing device.ip while using odbc collection.

 

 

if the database is returning an IP and this IP is mapped to saddr or daddr, then SA is mapping this ip to ip.src and device.ip, which is wrong, should be only mapped to ip.src while getting the device.ip from the odbc configuration.

if the database is not returning an IP, then the device.ip is correct. 

0 Likes
3 REPLIES 3

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-04-14 06:09 PM

If you feel this is a bug please open a support case with RSA Netwitness Support, via My RSA or support@rsa.com. Provide any sample logs where you see this happening along with details of the ODBC collection setup to include the parser being used for the event source. Once we have that information we can open a Content ticket to have the necessary parser adjusted.

JulianMacias
Beginner
Beginner

‎2017-06-20 11:30 AM

We had a similar issue when adding ePO. I found this on RSA's site. 

https://community.rsa.com/docs/DOC-47749 

 

We were getting thousands of log sources because each endpoint was being logged as an individual log source instead of only the database IP. 

Anonymous
Not applicable

‎2017-06-20 11:43 AM

Steps:
1. stop nwlogcollector
2. vi /etc/netwitness/ng/logcollection/content/collection/odbc/epolicyvirus4_5.xml  then please restore the value  
[AnalyzerIPV4] as below[AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ),

3. remove the line below from the same file
<addressColumn>AnalyzerIPV4</addressColumn>
4. start nwlogcollector

Wait till service comes back again normally, then do an investigation for last 5 minutes, this should work. this is actually a known issue, and this is the solution for now (till an update is released).
© 2022 RSA Security LLC or its affiliates. All rights reserved.