This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ODBC Customized

RSAAdmin
Beginner
Beginner

‎2015-01-23 10:46 PM

Hi guys,

 

I think it is my first post at this forum, I am learning many things here, I hope someone can help me.

 

So, I have an ODBC configured in Envision as Figure 1 in attachment, I need to configure these settings "Data query" and "Max tracking query" in Security Analytics but I dont know how to do it. Maybe it must be done in ODBC > Config as Figures 2 and 3 in attachment but I have no idea how to do it.

 

Could someone help me?

 

Regards.

Preview file
27 KB
Preview file
34 KB
Preview file
261 KB
0 Likes
9 REPLIES 9

RSAAdmin
Beginner
Beginner

‎2015-01-24 05:14 PM

Hi guys,

 

I figured out how to configure it, if someone is interested look at "Custom Content Typespec for Log Collector.pdf".

 

Regards.

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-01-28 09:25 PM

Hi, Thanks! am looking for this, say for i have ePolicy logs i want to query only for specific category of logs instead of collecting all from the default query template.

 

I found this, see this also refer to the same

Create Custom Content Typespec for ODBC Collection - RSA Security Analytics Documentation

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-01-30 10:28 AM

Yes, is that.

0 Likes

RSAAdmin
Beginner
Beginner

‎2015-02-08 05:35 PM

Hi all,

 

I configured a custom ODBC Type, it seems to be working fine, in log messages I see the message below:

 

"Feb  3 14:01:39 NWSECURITY nw[29143]: [OdbcCollection] [info] [odbc:WrkUnit[2]:29179] [publishEvents:489] [Log_Corporativo.Log_Corporativo] [processing] [Log_Corporativo] [processing] Published 46 ODBC events: last tracking id: 4186121"

 

But the logs are not showed on the Investigation Tab.

 

Anyone can help me?

 

Regards.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2015-02-09 04:36 PM

I've been asking around to see if anyone can help and got this response "I need to see his odbc.xml file spec. It might be something very simple, but that file will tell me what I need to know". Let us know if you can share that on the Community or if you prefer emailing directly.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-02-10 02:25 PM

Hi Seth, thank you for your attention.

 

Follow in attachment the XML file.

 

I have changed the variables but I think that is not important.

 

If you need the original file, let me know where I can send you.

 

Regards.

Preview file
2 KB
0 Likes

RSAAdmin
Beginner
Beginner

‎2015-02-21 02:14 PM

Anyone can help me?

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2015-02-25 01:53 AM

This usually happens when you have no parsers to process the customized logs.  Check whether you have device.type='unknown' with the device.ip of the custom odbc server.

 

This means that your parser is not working.

 

Hope that helps.

 

Cheers,

0 Likes

RSAAdmin
Beginner
Beginner

‎2015-02-26 10:14 PM

Rnubile_eng

 

Did you get this working?  If Not I can give you a hand.  I was the one that was asking Seth for your xml files

 

I looked at your XML file and it looks ok

 

Dave

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.