|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Log Collector, Log Decoder, Security Analytics UI
RSA Version/Condition: 10.3.x
Platform (Other): ODBC
O/S Version: EL5, EL6
|Issue||When navigating investigating meta from an ODB event source, the device.ip field doesn't match the IP address of the SQL database, particularly with hips8x and epolicyvirus4_5 event sources.|
Instead, the IP address in the device.ip field is that of the host sending its logs to the SQL database.
|Cause||For hips8x and epolicyvirus4_5 the device.ip field will be populated with the IP from the AnlyzerIPV4 column of the incoming log.|
For the hips8x event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/hips8x.xml file.
For the epolicyvirus4_5 event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/epolicyvirus4_5.xml file.
To reflect the IP address of the database rather than the host, the field "AnlyzerIPV4" can be deleted from the ODBC definition file and minor changes will need to be made in the Security Analytics UI.