|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Log Decoder, Log Collector, Security Analytics UI
RSA Version/Condition: 10.3.x, 10.4.x, 10.5.x
O/S Version: EL6
Platform (Other): Windows SNARE Agent 4.0.2
|Issue||Logs from Windows snare agents are not being parsed properly and so event.type=unknown instead of event.type=winevent_snare|
When looking at the raw log can see 'MSWinEventLog:' instead of 'MSWinEventLog,1,'
1447945680,10.20.30.40,127.0.0.1,serverhostname,Nov 19 20:37:53 <FQDN> MSWinEventLog:Security,
Whereas, typical snare logs look like:
1447945680,10.20.30.40,127.0.0.1,serverhostname,Nov 19 20:37:53 <FQDN> MSWinEventLog,1,Security,
|Cause||SNARE agent has alternative header configured.|
|Resolution||To resolve the issue, follow the steps below.|
Mapping IP Address to Device Type
Note: You may also need to use IP to Address Type mapping if device.type is showing the wrong device.type (apart from unknown) using the references below.