I have a customer who use something called a "Data Diode" to enforce one way connectivity through their network.
One result of this is that any syslog that is being sent through the diode gets its device IP changed.
For example any message that was sent through the diode would have the Source IP address and Sequence Numbers appended.
Jan 11 18:01:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet13/30, changed state to up
Message after Passing through Data Diode and seen by RSA Netwitness for Logs:
18.104.22.168 1515391: Jan 11 18:01:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet13/30, changed state to up
Unfortunately this means that the device.ip is populated with the Data Diode address rather than the original source address. The LUA parser below checks logs coming from the same IP as the Data Diode, and if they have this header format, the IP address is extracted and stored in device.ip.
This method works where logs are parsed by Security Analytics even with this additional header.
1) Edit the DataDiode.Lua on Line 41. This looks for the IP to check against with the format in decimal. In the file 192.168.123.3 is 3232267011 in decimal format.
2) Add the address of the datadiode in decimal format. (If you are lazy just use http://ncalculators.com/digital-computation/ip-address-hex-decimal-binary.htm)
3) Copy the parser to /etc/netwitness/ng/parsers on both your logdecoder
4) Reload your parsers (with your script that you use)
local lua_DataDiode= nw.createParser("DataDiode", "Registers the IP given by the Data Diode into device.ip")
Takes a message from a data diode and adds the IP address supplied into device.ip
22.214.171.124 8936: 008934: Jan 11 17:55:03.566: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 126.96.36.199 Port 514 started - CLI initiated
There can be any number of sequence numbers after the IP and the messages might be coming from any number of different event sources
deviceip = nil
devicetype = nil
if dtype == 'checkpointfw1' then
devicetype = dtype
-- Data Diode Device IP is 192.168.123.3
-- nw.logInfo("DataDiode: DeviceIP: " .. dip .. type(dip))
-- Note IP Addresses are stored in DECIMAL notation so need to convert dotted value to DECIMAL
-- To convert a.b.c.d is a *256 ^3 =b *256 ^2 +c *256 +d
--- 192.168.123.3 is therefore 3232267011
if dip == 3232267011 then
deviceip = dip
if deviceip then
-- Reparse the message:
-- nw.logInfo("DataDiode: DeviceIP has matched" )
local fullPayload = nw.getPayload():tostring()
local o1,o2,o3,o4,sequence,rubbish = string.match(fullPayload,"(%d+).(%d+).(%d+).(%d+)%s(%d+):(.*)")
--nw.logInfo("DataDiode: DeviceIP has matched" )
-- Check we have an IP address
if o1 and o2 and o3 and o4 then
host = o1*256^3 + o2*256^2 + o3*256 + o4
--nw.logInfo("DataDiode: Registered New Device IP: " .. host)
[nwevents.OnSessionBegin] = lua_DataDiode.sessionBegin,
--[nwlanguagekey.create("device.type", nwtypes.Text)] = lua_DataDiode.CheckDevice,
[nwlanguagekey.create("device.ip", nwtypes.IPv4)] = lua_DataDiode.CheckDeviceIP,