000032529 - Logs from Windows snare agents are showing not parsing as event.type=winevent_snare in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032529
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder, Log Collector, Security Analytics UI
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x
Platform: CentOS
O/S Version: EL6
Platform (Other): Windows SNARE Agent 4.0.2
IssueLogs from Windows snare agents are not being parsed properly and so event.type=unknown instead of event.type=winevent_snare
When looking at the raw log can see 'MSWinEventLog[1]:' instead of 'MSWinEventLog,1,'
For example:
1447945680,,,serverhostname,Nov 19 20:37:53 <FQDN> MSWinEventLog[1]:Security,

Whereas, typical snare logs look like:
1447945680,,,serverhostname,Nov 19 20:37:53 <FQDN> MSWinEventLog,1,Security,
CauseSNARE agent has alternative header configured.
User-added image
ResolutionTo resolve the issue, follow the steps below.
  1. Remove the checkbox "Use Alternate Header" and save the configuration
  2. Re-apply the reg file
  3. Restart Snare services
  4. Check and confirm if issue is resolved.
For more information, refer to the Microsoft Windows SNARE Event Source Configuration Guide.
Mapping IP Address to Device Type
Note: You may also need to use IP to Address Type mapping if device.type is showing the wrong device.type (apart from unknown) using the references below.