000030234 - The winevent_snare parser is not parsing the Member ID from logs in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030234
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder, Log Collector, Security Analytics UI
RSA Version/Condition: 10.4.x
Platform: CentOS
O/S Version: EL6
IssueWhen parsing Windows security audit logs in RSA Security Analytics using the winevent_snare parser, the Member ID portion of the logs is not being parsed.
Event Reconstruction showing the Member ID
CauseWith the winevent_snare parser, the Member ID is parsed by the c_sid variable.  
In the table-map.xml file on the Log Decoder, the c_sid variable is mapped to the user.sid.src meta key, but is not indexed by default as has the "Transient" flag set, as shown below.
<mapping envisionName="c_sid" nwName="user.sid.src" flags="Transient"/>
ResolutionIn order to allow the value to be parsed, the flag for the c_sid entry must be changed from Transient to None in the /etc/netwitness/ng/envision/etc/table-map.xml file on the Log Decoder, to appear as below.
<mapping envisionName="c_sid" nwName="user.sid.src" flags="None"/>

The Log Decoder service must then be restarted to reflect the change.
To allow the Concentrator that is consuming from the Log Decoder to index the new meta key, an entry similar to the example below must also be added to the /etc/netwitness/ng/index-concentrator-custom.xml file on the Concentrator, after which the Concentrator service will need to be restarted to apply the change.
<key description="Member ID Source" format="Text" level="IndexValues" name="user.sid.src"/>

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
NotesThe screenshot below shows entry added to the index-concentrator-custom.xml file on the Concentrator via the Security Analytics UI.
User-added image