000029305 - How to add syslog streams to RSA Security Analytics Log Decoders

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 6, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029305
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.x
Platform: CentOS
Component Name: Syslog
IssueSyslog streams are not showing up on the Log Decoder.  They cannot be parsed as they are not seen in the message.
ResolutionThe following must be done in order to get the syslog stream to show up on the Log Decoder:
  1. Edit the /etc/netwitness/ng/table-map-custom.xml file on the Log Decoder to include the following:

    <mapping envisionName="pri.severity" nwName="pri.severity" format="Int32" flags="None" />
    <mapping envisionName="pri.facility" nwName="pri.facility" format="Int32" flags="None" />

  2. Edit the /etc/netwitness/ng/index-concentrator-custom.xml file on the Concentrator to include the following:

    <key description="Syslog Facility" format="Int32" level="IndexValues" name="pri.facility" valueMax="10000" />
    <key description="Syslog Severity" format="Int32" level="IndexValues" name="pri.severity" valueMax="10000" />

  3. Restart the Log Collector, Log Decoder and Concentrator services in order to reflect the changes.  The values should then begin to show up in the investigation module within Security Analytics.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and mention article 000029305 for further assistance.