This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Report from IPDB

Anonymous
Not applicable

‎2014-03-21 04:12 AM

Hello,

 

Somebody can help me retrieve events from IPDB located at RSA enVision ES? I read and do all what I find here: https://sadocs.emc.com/0_en-us/095_10.3_User_Guide/13_Device_and_Service_Configuration/IPDB_Extractor_Service_Configurat…

 

I retrieve devicelist, but can't rectrieve data (events). If I create simpe rule, for example "select ip.src, ip.dst" and "where event.cat.name like '%'" and event source - my devicelist - I receive blank report. I try written any terms in where field and all time I receive blank report.

0 Likes
21 REPLIES 21

huanzhou1
Beginner
Beginner

‎2014-04-02 09:25 PM

can you share your configuration?

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-03 01:34 AM

How I can do it?

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-03 06:32 AM

can share your /etc/fstab? and mount output? do you use NAS? if yes, can share the share info?

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-03 06:54 AM

I use RSA enVision wiouth NAS. Strings at /etc/fstab:

 

//10.10.0.111/envision-es /var/netwitness/ipdbextractor/ipdb/envision-es cifs au

to,nouser,noexec,ro,credentials=/root/cred 0 0

//10.10.0.111/csd /var/netwitness/ipdbextractor/devicelocation cifs auto,nouser,

noexec,ro,credentials=/root/cred 0 0

 

Strings at /root/cred:

username=rsasa

password=password

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-03 11:09 PM

//10.10.0.111/envision-es  is for which path? your node name is envision-es?


0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-04 01:41 AM

\\10.10.0.111\envision-es = E:\nic\lsnode\data\ENVISION-ES

Yes, nodename is ENVISION-ES.

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-04 10:17 AM

i had issue with multiple storages, but single storage is working fine.

can you do ls /var/netwitness/ipdbextractor/ipdb/envision-es

and can share the IPDB rule you created?

0 Likes

Anonymous
Not applicable
In response to huanzhou1

‎2014-04-04 10:41 AM

Rule for example "select ip.src,ip.dst". Event source - list with:

 

NIC:ENVISION:ENVISION-ES:winevent_nic:10.0.0.21

NIC:ENVISION:ENVISION-ES:winevent_nic:10.0.0.22

NIC:ENVISION:ENVISION-ES:winevent_nic:10.0.0.25

NIC:ENVISION:ENVISION-ES:winevent_nic:10.0.0.26

NIC:ENVISION:ENVISION-ES:winevent_nic:10.0.0.37

 

[root@SA-WebServer ~]# ls /var/netwitness/ipdbextractor/ipdb/envision-es

ciscoasa     epolicy     mswsus  rhlinux  vmware_esx_esxi  winevent_nic

ciscorouter  msexchange  nic     unknown  vmware_vc

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-07 01:00 AM

can you share the rule you created?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.