Decoder: Enable Event Source Mapping

Document created by RSA Information Design and Development on Apr 21, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic tells administrators how to enable event source mapping on a Log Decoder.

The Log Collector discovers the event source type on a per-message basis. If the correct parser is not identified for the event source, the messages common to the same event source types are misclassified. The misclassified messages do not populate event source rules and alerts, and the reports do not have the correct data. If there are multiple event source types associated with an IP address, it makes it difficult for the parsers to identify the exact event source from which the logs are generated.

If you map an IP address to its event source type, the Log Decoder can identify the event source from which the log is generated. When messages are delivered to the Log Decoder from a mapped event source, only the assigned parsers are queried to find event matches.

You can assign event source types to IPV4, IPV6, or the hostname value of the event source. You can also assign multiple event source types to a single IP address. You can also use the Log Collector ID when different event source types with the same IP address are sent to different Log Collectors.

Procedures

Enable IP Address to Event Source Mapping

To enable an IP address to event source mapping:

  1. In the Security Analytics menu, select Administration > System > Log Parser Mappings.
  2. Select the Enable Parser Mappings checkbox.
  3. Click Apply
    The Parser Mappings (Beta) tab is displayed in the Services Config view.

PrsMapTbBeta.png

Update IP to Event Source Mapping

To update an IP to event source mapping:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder, and in the Actions column, select Actions menu cropped > View > Config.
    The Services Config view is displayed.
  3. Select the Parsers Mapping (Beta) tab.
    PrsMapTbBeta.png
  4. Clickic-add.png.
    The Mapping Editor is displayed.
  5. Any of the following mappings can be defined:

One Host and One Event Source Type
- In the Host field, enter the hostname.  
  For example: 10.0.0.1
- In the Event Sources(s) field, enter the event source type.
  For example: apache
One Host and One or More Event Source Types
- In the Host field, enter the hostname.
  For example: 10.0.0.1 
- In the Event Source(s) field, enter the event source type. 
  For example: apache,sap,aix
One Host, One Log Collector, and One Event Source Type
- In the Host field, enter the hostname and Log Collector ID.  
  For example: 10.0.0.1,LC-1.
- In the Event Source(s) field, enter the event source type.
  For example: apache
One Host, One Log Collector ID, and One or More Event Source Types
- In the Host field, enter the hostname and Log Collector ID.
  For example: 10.0.0.1.LC-1
- In the Event Source(s) field, enter the event source type.
  For example: apache,sap,aix

Note: The event source types are processed in the order you enter the parsers and if one or more parsers matches a log, the first parser in the list is queried. The Host/IP can be an IPv4, IPv6, or Hostname.

  1. Click OK.
    The Parser Mapping is added.
  1. To accept the parser mappings selection, click Apply.
  2. To cancel the parser mappings selection, click Revert.

Read IP to Event Source Type Mappings

To read an IP to event source type mappings:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.
    The Services Config view is displayed.
  4. Select the Parsers Mapping (Beta) tab.
    The mappings are displayed.
    PrsMapTbBeta.png

Edit an IP to Event Source Type Mapping

To edit an IP to event source type mapping:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.
    The Service Config view is displayed.
  4. Select the Parser Mappings (Beta) tab.
  5. Select the mapping you want to edit.
  6. Click ic-edit.png
  7. In the Event Source(s) field, modify the event source(s).
  8. Click OK.
  9. To accept the edited Event Source, click Apply.
  10. To cancel the changes, click Revert.

Delete an IP to Event Source Type Mapping

To delete an IP to event source type mapping:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.
    The Service Config view is displayed.
  4. Select the Parser Mappings (Beta) tab.
  5. Select the mapping you want to delete.
  6. Click ic-delete.png.
    The mapping is deleted.
  7. To accept the changes, click Apply.
  8. To cancel the changes, click Revert.

Sort the Hostname or Event Source Type

To sort the hostname or event source type:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.
    The Service Config view is displayed.
  4. Select the Parser Mappings (Beta) tab.
  5. To sort a column, click in the column header.
    The Sort Options drop-down menu is displayed.
  6. Select the sort order that you want.
  7. Click Apply.

Import IP to Event Source Mapping Entries

To import IP to event source mapping entries:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.
    The Service Config view is displayed.
  4. Select the Parser Mappings (Beta) tab.
  5. Select Actions > Import.
    The Import dialog is displayed.
  6. Click ic-add.png.
  7. Select the file you want to import and click OK.
  8. To load the parser, click Import.

Note: You can only import one .csv file at a time.

Export IP to Event Source Mapping Entries

To export IP to event source mapping entries:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.
    The Service Config view is displayed.
  4. Select the Parser Mappings (Beta) tab.
  5. Select the mappings you want to export.
  6. Select Actions > Export > Selection.
    The Export Selection dialog is displayed.
  7. Enter the file name and click Export.

Search IP to Event Source Mapping Entries

To search IP to event source mapping entries:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.
    The Service Config view is displayed.
  4. Select the Parser Mappings (Beta) tab.
  5. In the Parsers Mappings toolbar, enter the Host or Event Source in the Filter field.
  6. Click Enter.
    The Hosts or Event Sources that match the names entered in the Filter field are displayed.
You are here: Additional Procedures > Enable Event Source Mapping

Attachments

    Outcomes