Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000031312 - ODBC event source parses the device.ip field incorrectly in RSA Security Analytics 10.3.x

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000031312
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Log Collector, Log Decoder, Security Analytics UI RSA Version/Condition: 10.3.x Platform: CentOS Platform (Other): ODBC O/S Version: EL5, EL6
Issue	When navigating investigating meta from an ODB event source, the device.ip field doesn't match the IP address of the SQL database, particularly with hips8x and epolicyvirus4_5 event sources. Instead, the IP address in the device.ip field is that of the host sending its logs to the SQL database.
Cause	For hips8x and epolicyvirus4_5 the device.ip field will be populated with the IP from the AnlyzerIPV4 column of the incoming log. For the hips8x event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/hips8x.xml file. For the epolicyvirus4_5 event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/epolicyvirus4_5.xml file.
Resolution	To reflect the IP address of the database rather than the host, the field "AnlyzerIPV4" can be deleted from the ODBC definition file and minor changes will need to be made in the Security Analytics UI. Follow the steps below to perform this procedure. 1. Stop ODBC collection via the Security Analytics UI. Update the event source configuration in the Security Analytics UI and enter the IP address of the server in place of 127.0.0.1. Issue the command below to edit the file. vi /etc/netwitness/ng/logcollection/content/collection/odbc/hips8x.xml Update the ODBC Type Spec Definition file by removing [EPOEvents].[AnalyzerIPV4], as shown below. Restart the nwlogcollector service for the changes to take effect. [root@logdecoder ~]# stop nwlogcollector nwlogcollector stop/waiting [root@logdecoder ~]# start nwlogcollector nwlogcollector start/running, process 24648 Start the ODBC collection again via the Security Analytics UI. If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Re: ODBC and device.ip