NetWitness Community

SahilArora · ‎2018-03-13

I have symantec logs configured on RSA. I wanted to know, by what meta keys using these logs, I can monitor the USB activity. Like- If a user has plugged-in a USB/external hard drive and the access is blocked by symantec. OR if a user has disabled the symantec on its system and then trying to access USB.

Would really appreciate some quick help here.

EricaChalfin · ‎2018-03-13

sahil arora‌,

I've moved your question to the RSA NetWitness Suite" data-type="space‌ space so your post will be seen by the appropriate TSEs and customers who use the product.

Regards,

Erica

david_waugh · ‎2018-03-14

Hello

You first to make sure that this is a supported device type by Netwitness by looking at the configuration guides. If it is supported then follow the steps in the guide to configure.

If it is not currently supported, then the quickest way is that you will need to get the logs into netwitness first. This can be done in lots of different ways (eg syslog, file reading agent, ODBC).

Once the logs are then inside Netwitness you will need to parse them which may include writing your own parser. At this point you can decide which information you want to put in the meta keys.

EricPartington · ‎2018-03-14

i would test those events on a system that you can review logs for in NW. that way you know how symantec logs those events and how NW interprets them.

you could also look at the parser in the RSA GitHub site and see if you can locate any messages there related to your use cases.

NetWitness Community

Symantec logs for USB access