on Jun 16, 2016Article Content
| Article Number | 000017442 |
| Applies To | RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Log Collector RSA Version/Condition: 10.6.x, 11.x Platform: CentOS |
| Issue | The Device IP meta field (device.ip) doesn't show the Windows Eventing host source IP address in RSA NetWitness. User sees log messages being collected, but they don't contain the source IP address, which normally are expected to be seen under the Device IP meta key. Alternatively, the Device hostname meta field (device.host) doesn't show from the Windows Eventing logs.  |
| Cause | For NetWitness Windows Eventing log collection, the NetWitness Log Collector doesn't extract the Device IP address (device.ip) or the Device Hostname (device.host) from the collected Windows messages. Rather, the Device IP or Device Host value is determined by examining the NetWitness Log Collector Windows Eventing host configuration. If the Host's Event Source Address is configured with an IP address, then the IP address value is populated under the Device IP (device.ip) meta key.  If the Host's Event Source Address is configured with a hostname or FQDN, then that value is populated under the Device Host (device.host) meta key.  |
| Resolution | For consistency configure the Windows Eventing Hosts in NetWitness using one of IP address or Hostname, depending on which meta field is most useful for your environment. |
| Legacy Article ID | a64843 |