000029497 - Issue with alerts sent to third party tools (such as ArcSight) in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 2, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029497
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness Server
Platform: CentOS
IssueWhen sending alerts to a third-party tool, such as ArcSight, there may be issues with how the alerts are being displayed, as it may appear that packets are sent with multiple alert titles in the same packet. In ArcSight, it would appear that one alert would run into another. 

An example:  

The triggering of one rule is also appeared to trigger another rule.   In ArcSight, these rules appear to have been combined, and these alerts that are triggered at the same time appear to be showing up in the same alert in ArcSight vs in separate alerts as they should be. 


Below is the flow for the Reporting Engine (RE) when it creates NW Alerts:

  1. RE will query all the sessions for Alerts (for example; "select where alert = '<alert-name>'")
  2. For each session received, RE will generate a template. A session can have multiple "alerts" (in such cases in the template all the alerts will appear as a "comma-separated" form)

If a session has alerts "[ AlertA , AlertD, AlertB, AlertC, AlertD ]" then in Template it will appear as "AlertA, AlertD, AlertB, AlertC, AlertD" (Comma Separated Values)


In the above sample use case, the issue is with the interpretation of "meta.alert". This can be rectified by using the following:

use "$


" instead of "$



....in the template. Execution in such a way will display "Alert Name" vs all alerts in "Session".  This methodology ensures the transmission of the alert name which fired the event in syslog.