NetWitness Community

AlexColella · ‎2014-08-06

Hi Everyone,

We currently have the RSA SA logging several different sources and was hoping to run a scheduled report of the EPS by log collector and if possible even event source (cisco ASA, windows etc). I've combed through available documents but no luck. Any help would be greatly appreciated. Thanks.

LeeKirkpatrick · ‎2014-08-08

No comment

I am not sure in all honesty. SA is moving towards integrating more of this into the UI. I am just unsure of dates.

LeeKirkpatrick · ‎2014-08-08

As of 10.3.4 we now have the capability to look at events streaming into the system like enVision had. At present this is only available via the NwConsole though.

RSAAdmin · ‎2014-08-08

Excellent (about time!).

It needs to be on the web ui because as you know NwConsole doesn't exist on VLCs.

Hopefully there will be the utility to filter on ip, host name, event category, etc like envision allowed.

Expanding on what Sean says - hopefully 10.4 will introduce functionality fundamental to a SIEM solution just as all existing solutions have. Real-time event monitoring and EPS stats are two but there are still many more.

Cheers Lee. Hopefully catch you soon.

Anonymous · ‎2014-08-08

And don't get me wrong, I think the integration of the packets and logs has been way more helpful to us then having streaming events. But the stream would help a lot in developing more content.

RSAAdmin · ‎2014-08-08

The NwConsole utility can be used to connect to remote machines. It doesn't have to connect to localhost.

We (the SA Core developers) also build NwConsole packages for Windows and Mac.

LeeKirkpatrick · ‎2014-08-10

Hey Patrick,

I ended up getting a little bored and scripting your F5 idea

If you would like to use it, just drop it on your Log Decoder or VLC, open it up and change the three variables under “User Variables” to the IP of your Log Decoder / VLC, your username and your password.

# User Variables

dip = '192.168.1.57';

uName = 'admin';

pWord = 'password';

Then run the script like below:

python eps.py

It will prompt you for the collection type you want to monitor (options are windows, odbc, file, etc) :

What collection method do you want to monitor? windows

It will then output similar to below and refresh the stats every 1 second:

Event Collection Monitor

Windows Active Sources Count 1

Windows Error Sources Count 0

Processing Error Count 0

Current Processing Error Rate 0

Event Count 15

Current Event Rate 3

Failed Execution Count 0

Filtered Event Count 0

Current Filtered Event Rate 0

Processing Warning Count 0

RSAAdmin · ‎2014-08-11

Great – thanks very much Lee. I will install the script in the lab.

Cheers mate.

AlexColella · ‎2014-08-11

Excellent script Lee, I know this is asking for quite a bit but is there a way to easily tweak it so that it can accumulate the EPS and give you an average EPS say per hour(s) days etc?

LeeKirkpatrick · ‎2014-08-11

That's an awesome idea. I'll look into what I can do 🙂 I am also working on a script to obtain eps per device as well.

I'll make sure to post updates here.

LeeKirkpatrick · ‎2014-08-15

Hey Argo,

Here it is. As before, supply the collection method, then supply your time frame in seconds:

!

What collection method do you want to monitor? syslog

How many seconds to monitor? 3

Average EPS over 3 seconds:

10.3456

NetWitness Community

Report on EPS per event source in RSA SA