ODBC and device.ip
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2017-03-05 06:31 AM
Dears,
I discovered a bug in parsing device.ip while using odbc collection.
if the database is returning an IP and this IP is mapped to saddr or daddr, then SA is mapping this ip to ip.src and device.ip, which is wrong, should be only mapped to ip.src while getting the device.ip from the odbc configuration.
if the database is not returning an IP, then the device.ip is correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2017-04-14 06:09 PM
If you feel this is a bug please open a support case with RSA Netwitness Support, via My RSA or support@rsa.com. Provide any sample logs where you see this happening along with details of the ODBC collection setup to include the parser being used for the event source. Once we have that information we can open a Content ticket to have the necessary parser adjusted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2017-06-20 11:30 AM
We had a similar issue when adding ePO. I found this on RSA's site.
https://community.rsa.com/docs/DOC-47749
We were getting thousands of log sources because each endpoint was being logged as an individual log source instead of only the database IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2017-06-20 11:43 AM
2. vi /etc/netwitness/ng/logcollection/content/collection/odbc/epolicyvirus4_5.xml then please restore the value
[AnalyzerIPV4] as below[AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ),
3. remove the line below from the same file
<addressColumn>AnalyzerIPV4</addressColumn>
4. start nwlogcollector
Wait till service comes back again normally, then do an investigation for last 5 minutes, this should work. this is actually a known issue, and this is the solution for now (till an update is released).