This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

What is the best way to search for logs from unknown devices?

Go to solution
KevinCole
Beginner
Beginner

‎2018-01-17 03:50 PM

I have a large environment both in terms of monitored devices (logs & packets) and Netwitness infrastructure (many decoders, concentrators, and brokers).

 

A team that is standing up new devices to be monitored have started sending logs (they say) to a VIP sitting in front of my decoders. These devices do not have a parser built yet, and will likely not be known to Netwitness.

 

Without killing my Broker performance, what's the best way to determine if I've received any logs from these new, unknown devices in the last week?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
EricPartington
Employee
Employee

‎2018-01-17 04:08 PM

health and wellness > event source monitoring should have a record of that device.ip sending logs to your decoders

search in the event source column for the ip of the device logging to you and you should see it there along with the device type that the decoder thinks it might be and the times it last logged to you along with a chart of the events over time.

View solution in original post

2 REPLIES 2

Go to solution
EricPartington
Employee
Employee

‎2018-01-17 04:08 PM

health and wellness > event source monitoring should have a record of that device.ip sending logs to your decoders

search in the event source column for the ip of the device logging to you and you should see it there along with the device type that the decoder thinks it might be and the times it last logged to you along with a chart of the events over time.

Go to solution
KevinCole
Beginner
Beginner
In response to EricPartington

‎2018-01-17 04:30 PM

Thank you for the quick reply, Eric!

 

Turns out that we're having an unrelated, unreported issue with a load balancer, so logs weren't getting to the decoder.

 

But, I will save this answer for other uses.

 

Regards,

Kevin

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.