|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.x
|Issue||The Device IP meta field (device.ip) doesn't show the Windows Eventing host source IP address in RSA NetWitness.|
|Cause||For NetWitness Windows Eventing log collection, the NetWitness Log Collector doesn't extract the Device IP address (device.ip) or the Device Hostname (device.host) from the collected Windows messages.|
Rather, the Device IP or Device Host value is determined by examining the NetWitness Log Collector Windows Eventing host configuration.
If the Host's Event Source Address is configured with an IP address, then the IP address value is populated under the Device IP (device.ip) meta key.
If the Host's Event Source Address is configured with a hostname or FQDN, then that value is populated under the Device Host (device.host) meta key.
|Resolution||For consistency configure the Windows Eventing Hosts in NetWitness using one of IP address or Hostname, depending on which meta field is most useful for your environment.|
|Legacy Article ID||a64843|