|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Log Decoder, Log Collector, Security Analytics UI
RSA Version/Condition: 10.4.x
O/S Version: EL6
|Issue||When parsing Windows security audit logs in RSA Security Analytics using the winevent_snare parser, the Member ID portion of the logs is not being parsed.|
|Cause||With the winevent_snare parser, the Member ID is parsed by the c_sid variable. |
In the table-map.xml file on the Log Decoder, the c_sid variable is mapped to the user.sid.src meta key, but is not indexed by default as has the "Transient" flag set, as shown below.
<mapping envisionName="c_sid" nwName="user.sid.src" flags="Transient"/>
|Resolution||In order to allow the value to be parsed, the flag for the c_sid entry must be changed from Transient to None in the /etc/netwitness/ng/envision/etc/table-map.xml file on the Log Decoder, to appear as below.|
<mapping envisionName="c_sid" nwName="user.sid.src" flags="None"/>
The Log Decoder service must then be restarted to reflect the change.
To allow the Concentrator that is consuming from the Log Decoder to index the new meta key, an entry similar to the example below must also be added to the /etc/netwitness/ng/index-concentrator-custom.xml file on the Concentrator, after which the Concentrator service will need to be restarted to apply the change.
<key description="Member ID Source" format="Text" level="IndexValues" name="user.sid.src"/>
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
|Notes||The screenshot below shows entry added to the index-concentrator-custom.xml file on the Concentrator via the Security Analytics UI.|