000017442 - Meta device.ip or device.host doesn't show for Windows Eventing logs in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017442
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS
IssueThe Device IP meta field (device.ip) doesn't show the Windows Eventing host source IP address in RSA NetWitness.
User sees log messages being collected, but they don't contain the source IP address, which normally are expected to be seen under the Device IP meta key.

Alternatively, the Device hostname meta field (device.host) doesn't show from the Windows Eventing logs.

User-added image
CauseFor NetWitness Windows Eventing log collection, the NetWitness Log Collector doesn't extract the Device IP address (device.ip) or the Device Hostname (device.host) from the collected Windows messages.
Rather, the Device IP or Device Host value is determined by examining the NetWitness Log Collector Windows Eventing host configuration.

If the Host's Event Source Address is configured with an IP address, then the IP address value is populated under the Device IP (device.ip) meta key.

User-added image

If the Host's Event Source Address is configured with a hostname or FQDN, then that value is populated under the Device Host (device.host) meta key.

User-added image
ResolutionFor consistency configure the Windows Eventing Hosts in NetWitness using one of IP address or Hostname, depending on which meta field is most useful for your environment.
Legacy Article IDa64843