We have forwarded Symantec AV and cisco secure ACS logs from RSA envision to RSA security SA decoder through Z connector. Both devices logs are captured in RSA SA and also discover devices in RSA SA successfully.
But logs are not getting parsed properly. Below I am given raw log and meta value for both device type.
Like for Symantec AV , RSA SA is not parsing infected file and actual action filed, marked in RED.
Symantec AV Log
Apr 1 17:05:39 SymantecServer YYYYYYY: Virus found,IP Address: X.X.X.X,Computer name:YYYYYYYYY,Source: Real Time Scan,Risk name: Backdoor.Graybird,Occurrences: 1,C:\ArunSingh\Software\CorelDRAW Graphics Suite X6\Keygen-CORE\keygen.exe,"",Actual action: Details pending,Requested action: Deleted,Secondary action: Left alone,Event time: 2014-04-01 11:34:31,Inserted: 2014-04-01 11:35:39,End: 2014-04-01 11:34:31,Last update time: 2014-04-01 11:35:39,Domain: Default1,Group: My Company\ROOT\WORKSTATIONS\STPI\NKP,Server: XXXXXXX,User: YYYYYY,Sourcecomputer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version:
Parsed META:
sessionid = 14351751319
time = 2014-04-01T17:18:19.0
size = 1070
medium = 32
device.type = "symantecav"
device.class = "Anti Virus"
header.id = "0016"
ip.addr =
alias.host = "INMUMNKPSTL3701"
event.source = "Real Time Scan"
virusname = "Backdoor.Graybird"
action = "Deleted"
group = "My Company\ROOT\WORKSTATIONS\STPI\NKP"
alias.host = " "
user.dst = " "
dclass.c1.str = "Occurences"
ec.activity = "Detect"
ec.subject = "Virus"
ec.theme = "TEV"
endtime = 2014-04-01T17:04:31.0
event.desc = "Virus found"
event.time = 2014-04-01T17:04:31.0
msg.id = "Viru:10"
event.cat.name = "Attacks.Malicious Code.Virus"
forward.ip =
device.ip =
kindly help me
