This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ODBC Integration With RSA Security Analytics

Anonymous
Not applicable

‎2014-03-04 05:10 AM

Hi,

 

I want to integrate my 3 event sources with RSA Secrutiy Analytics for the ODBC log collection,

the event sources are:

1 McAfee ePO 4.5

2 EMC Avamar

3 McAfee Vulnerability Management 7.5

 

Kindly share the Data source name details, like what I need to mentio in the DSN entries, what enteries, so that on that basis I can create a DSN of the event sources.

 

And also shares the steps which I need to do on the event source side?

what steps i need to process and go through for the integration of the above mentioned event sources for ODBC.

 

Thanks to all in advance.

0 Likes
11 REPLIES 11

RSAAdmin
Beginner
Beginner

‎2014-03-04 07:08 AM

Hi,

All the configuration guides for event sources are within SCOL under the enVision > device configuration guides.

 

As for the DSNs - check on sa.docs.netwitness (specifically here).

 

Hope this helps.

 

Kind regards,

Patrick

0 Likes

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-03-12 12:23 PM

sadocs never contains the completed information like the SQL server, you need to download the required items from SCOL, search for envision event source.

0 Likes

Anonymous
Not applicable

‎2014-03-13 09:51 AM

The problem with setting up ODBC connections in SA is the fact that every DB type has unique requirements when adding DSN value pairs.  For instance; When setting up connections to an Oracle 9i vs Oracle 11g, the vaule pairs required for each are:

 

9i                                        11g

datasourcename=              datasourcesname=

servicename=                    servicename=

hostname=                          hostname=

PortNumber                        PortNumber=

or portnumber=                    driver=
driver=

 

The differences can be so subtle it's nearly impossible to to crack the code.  When i setup the 2 connection above, I did 9i 1st and it worked just fine.  When i did the same setup on 11g it failed everytime because i didn't have portnumber as PortNumber.  It actually took 2 developers about 4 hours to determine this was the problem.  Also, when adding the DSN's to your event source type, i would refrain from adding an initial tracking ID unless you know the date/timestamp you want to start polling from.  If you don't enter the tracking ID correctly, it will inject unkown commands into the SQL statament and it will not work.

 

I have been working on McAfee ePO 4.5_x myself for a few days now and still haven't been able to get it to work.  If i figure out the DSN value pairs i will definitely let you know.  Try taking a look at the sample ODBC.ini files in this datadirect guid provided by RSA.  The sample files should help you get on the right track....

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-03-14 02:58 PM

Hi JHerbst, thanks alot for sharing this information and will try this on our SA by this way and let you know of the same and also we had successfully integrated our McAfee ePO 4_5 (ePolicy virus and epolicy 4_5) for odbc for syslogs and audit logs.

And will send you the parameters which we had added while creating DSN for ePO.

 

Regards,

Deepanshu Sood.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-03-14 03:06 PM

And also if you have an details of other odbc's dsn like EMC Avamar and McAcee Vulnerability Manager, then kindly also share the parameters accordingly.

With driver name to be used, with database server name which we need to add, etc.

 

Thanks in advance.

0 Likes

Anonymous
Not applicable

‎2014-03-14 06:07 PM

Hi,

In order to setup your ODBC connectivity through Security Analytics for Logs. Please get into the administrative view for devices and then select the Log Collector device and then pull down and select Config.

 

Tab over to event sources and first select one from the following list of connection methods:

 

1) CheckPoint

2) File

3) ODBC

4) SDEE

5) SNMP

6)VMware

7) Windows

 

Once you select the appropriate option, you can then select the Config for the next drop down list.

 

If you then hit the + sign a list of available event source types will be made available.

 

Pick & choose the one appropriate to your particular needs.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-03-14 06:21 PM

That's great but we're talking about ODBC connections. Not all those events sources are ODBC type connections. Additionally, before you can have an ODBC type of connection you must define the DSN in the Settings tab.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-03-14 06:26 PM

Ok Sorry must have missed that.

 

 

I have a bunch of these type connections to get working; so, I'll experiment a little next week.

 

I'll post any updates I get.

 

 

Thanks,

John

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.