Map IP Address to Service Type for Log Parsing

This topic describes the procedure to map an IP address to a service type for log parsing.

The Log Collector discovers event source type on a per-message basis. If the correct parser is not used for the specific event source, the messages that are common between event source types are misclassified. The misidentified messages will not populate service rules and alerts, and the reports will not have proper information. Also, if there are multiple services associated with an IP address, it can be difficult for the parsers to identify the exact service from which the log is generated.

If you map an IP address to its services, the Log Decoder can identify the service from which the log is generated. When messages come into the log decoder from a mapped service, the assigned parsers are loaded to find event matches.

You can assign service types to IPV4, IPV6 or hostname value of the event source. You can also assign multiple service types to a single IP address. You can also use the CollectorID when different service types with the same IP address are sent to different collectors.

Map an IP Address to a Service Type

To map an IP address to a service type, do the following:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select a Log Decoder, and in the Actions column, select netwitness_ic-actns2.png > View > Explore.
  3. Go to /decoder/parsers node, right-click parsers, and select Properties.

  4. In the Properties view, specify the ipdevice command with the following parameters:

    op=add/remove entries="ipaddress=service

    for example, op=add entries="10.100.201.300=ciscoasa"

  5. Click Send.

    netwitness_ipdevmap_750x197.png

IPdevice Command

In the ipdevice command, three operations are available:

  • add: This operation adds or updates entries in the ipdevice map. Multiple space delimited address/type pairs may be specified.

    op=add entries="address=service type"

  • remove: This operation removes entries from the ipdevice map. Multiple space delimited address/type pairs may be specified.
    op=remove entries="address"
  • describe: This operation returns the values currently in the ipdevice map.