000031312 - ODBC event source parses the device.ip field incorrectly in RSA Security Analytics 10.3.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031312
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, Log Decoder, Security Analytics UI
RSA Version/Condition: 10.3.x
Platform: CentOS
Platform (Other): ODBC
O/S Version: EL5, EL6
IssueWhen navigating investigating meta from an ODB event source, the device.ip field doesn't match the IP address of the SQL database, particularly with hips8x and epolicyvirus4_5 event sources.
Instead, the IP address in the device.ip field is that of the host sending its logs to the SQL database.
CauseFor hips8x and epolicyvirus4_5 the device.ip field will be populated with the IP from the AnlyzerIPV4 column of the incoming log.
For the hips8x event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/hips8x.xml file.
For the epolicyvirus4_5 event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/epolicyvirus4_5.xml file.
Resolution

To reflect the IP address of the database rather than the host, the field "AnlyzerIPV4" can be deleted from the ODBC definition file and minor changes will need to be made in the Security Analytics UI. 
Follow the steps below to perform this procedure.


  1. 1. Stop ODBC collection via the Security Analytics UI.
    StopODBC
  2. Update the event source configuration in the Security Analytics UI and enter the IP address of the server in place of 127.0.0.1.
    ModifyUI
  3. Issue the command below to edit the file.
    vi /etc/netwitness/ng/logcollection/content/collection/odbc/hips8x.xml

  4. Update the ODBC Type Spec Definition file by removing [EPOEvents].[AnalyzerIPV4], as shown below.
    removedefinition
  5. Restart the nwlogcollector service for the changes to take effect.
    [root@logdecoder ~]# stop nwlogcollector
    nwlogcollector stop/waiting
    [root@logdecoder ~]# start nwlogcollector
    nwlogcollector start/running, process 24648

  6. Start the ODBC collection again via the Security Analytics UI.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes