This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Discussions
- NetWitness Community
- Discussions
- ODBC Integration With RSA Security Analytics
-
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ODBC Integration With RSA Security Analytics
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2014-03-04 05:10 AM
Hi,
I want to integrate my 3 event sources with RSA Secrutiy Analytics for the ODBC log collection,
the event sources are:
1 McAfee ePO 4.5
2 EMC Avamar
3 McAfee Vulnerability Management 7.5
Kindly share the Data source name details, like what I need to mentio in the DSN entries, what enteries, so that on that basis I can create a DSN of the event sources.
And also shares the steps which I need to do on the event source side?
what steps i need to process and go through for the integration of the above mentioned event sources for ODBC.
Thanks to all in advance.
11 REPLIES 11
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2014-03-20 05:29 AM
Hi,
adding new ODBC source is pretty simple.
DSN definitons are different only in driver used dependent on target database.
for example my McAfee ePO have this DSN settings:
==========
Driver = /opt/netwitness/odbc/lib/R3sqls26.so - MSSQL driver
Database = MCAFEE_EPO - DB name
PortNumber = 1433 - Port on which is DB listening for incoming connections
HostName = 10.10.10.10 - IP/hostname of DB machine
==========
Then - if device is not supported for ODBC collection by default - you need to create ODBC definition (example is attached) which U need to place in "/etc/netwitness/ng/logcollection/content/collection/odbc/" and set permissions (mabye its not necessary)
"sudo chown root:root odbc_example.xml
sudo chmod 775 odbc_example.xml"
Then you are ready to connect to database.
You will need just right parser and set user in ODBC config and on DB side.
On the Database side you just create user with reading permissions to concrete DB and you are done.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2014-03-20 08:26 AM
Somebody receive messages from Microsoft WSUS? I all time recieve error like this:
[mswsus.SUSDB] [processing] [SUSDB] Data query failed; dataQuery: select Ei.Timeatserver,Ei.EventID, case when (Em.messageTemplate not like '%1%' and Em.messageTemplate not like '%2%' ) then Em.messageTemplate when (Em.messageTemplate like '%1%' and Em.messageTemplate like '%2%' and Ei.replacementStrings is not null) then replace (replace(Em.messageTemplate,'%1',cast(Ei.replacementStrings as xml).value('/ArrayOfString[1]/string[1]','nvarchar(160)')), '%2',cast(Ei.replacementStrings as xml).value('/ArrayOfString[1]/string[2]','nvarchar(160)')) when(Em.messageTemplate like '%1%' and Em.messageTemplate not like '%2%' and Ei.replacementStrings is not null) then replace(Em.messageTemplate,'%1',cast(Ei.replacementStrings as xml).value('/ArrayOfString[1]/string[1]','nvarchar(160)')) end as MessageDiscription,Ei.Appname,Et.IPAddress, Et.FullDomainName,Ev.DefaultTitle,Ev.CreationDate From tbEventInstance as Ei LEFT OUTER JOIN tbEventMessageTemplate as Em ON Ei.EventID=Em.EventID LEFT OUTER JOIN tbcomputerTarget as Et ON Ei.ComputerID=Et.ComputerID LEFT OUTER JOIN PUBLIC_VIEWS.vUpdate as Ev ON Ei.UpdateID=Ev.UpdateID where Ei.EventID=Em.EventID and ((Em.messageTemplate like '%1%' and Ei.replacementStrings is not null) or (Em.messageTemplate not like '%1%' and Em.messageTemplate not like '%2%')) and Ei.TimeAtServer > '2014-03-20 11:41:15.130' ORDER by Ei.TimeAtServer ASC
[mswsus.SUSDB] [processing] [SUSDB] Error finding any new events. Reason: Unable to execute statement: Statement: "select Ei.Timeatserver,Ei.EventID, case when (Em.messageTemplate not like '%1%' and Em.messageTemplate not like '%2%' ) then Em.messageTemplate when (Em.messageTemplate like '%1%' and Em.messageTemplate like '%2%' and Ei.replacementStrings is not null) then replace (replace(Em.messageTemplate,'%1',cast(Ei.replacementStrings as xml).value('/ArrayOfString[1]/string[1]','nvarchar(160)')), '%2',cast(Ei.replacementStrings as xml).value('/ArrayOfString[1]/string[2]','nvarchar(160)')) when(Em.messageTemplate like '%1%' and Em.messageTemplate not like '%2%' and Ei.replacementStrings is not null) then replace(Em.messageTemplate,'%1',cast(Ei.replacementStrings as xml).value('/ArrayOfString[1]/string[1]','nvarchar(160)')) end as MessageDiscription,Ei.Appname,Et.IPAddress, Et.FullDomainName,Ev.DefaultTitle,Ev.CreationDate From tbEventInstance as Ei LEFT OUTER JOIN tbEventMessageTemplate as Em ON Ei.EventID=Em.EventID LEFT OUTER JOIN tbcomputerTarget as Et ON Ei.ComputerID=Et.ComputerID LEFT OUTER JOIN PUBLIC_VIEWS.vUpdate as Ev ON Ei.UpdateID=Ev.UpdateID where Ei.EventID=Em.EventID and ((Em.messageTemplate like '%1%' and Ei.replacementStrings is not null) or (Em.messageTemplate not like '%1%' and Em.messageTemplate not like '%2%')) and Ei.TimeAtServer > '2014-03-20 11:41:15.130' ORDER by Ei.TimeAtServer ASC"; Reason: state: S1000; error-code: 139715286140814; description: [RSA][ODBC SQL Server Wire Protocol driver][Microsoft SQL Server]SELECT failed because the following SET options have incorrect settings: 'QUOTED_IDENTIFIER'. Verify that SET options are correct for use with indexed views and/or indexes on computed column
RSA enVision correct receive events from Microsoft WSUS...
- « Previous
-
- 1
- 2
- Next »
