Archiver: Step 2: Add Log Decoder as a Data Source to Archiver

Document created by RSA Information Design and Development on Jul 26, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides instructions on how to add a Log Decoder as a data source to Archiver.

Prerequisites

Make sure that you have:

  1. Installed the Security Analytics Archiver host in your network environment.
  2. Installed and configured Log Decoder in your network environment.
  3. Added the Archiver as a service to your Security Analytics deployment.
  4. Applied license to the Archiver service. 

Archiver Meta Settings Considerations

By default, the Archiver is configured to store and index only a small subset of the meta items from a Log Decoder. Because the Archiver stores and indexes less meta items by default, you cannot query the Archiver in the same way as you would a Concentrator. You can view a list of the current meta and index items used by the Archiver in the following locations:

  • Config view > General tab > Aggregate Services panel: The information icon in the Meta Include field shows the current list of meta items for a Log Decoder added as a data source.
  • Explorer view: The /archiver/devices/<logdecoder>/config/options path in the metaInclude field shows the current list of meta items.
  • Config view > Files tab: The index-archiver.xml shows the default index configuration. The index-archiver-custom.xml shows any modifications.

You can add additional meta items to the Archiver by adding them to the Meta Include field in the user interface or in the metaInclude set in the Explore view. However, be warned that adding indexes and meta items can drastically change how much data is transported to the Archiver, and will require additional network bandwidth, CPU time, RAM, and disk space to process. 

See Configure Meta Filters for Aggregation and Add Index Entries for Archiver Reporting below for additional details.

Add Log Decoder as a Data Source to Archiver

  1. In the Security Analytics menu, select Administration > Services.
  2. Select the added Archiver service.
  3. In the Actions column, click View > Config.
    The Services Config view of Archiver is displayed.
  4. On the General tab, in the Aggregate Services panel, click .
    The Available Services dialog is displayed.
    AvailServDg.png
  5. Select the Log Decoder service to add as a data source to the Archiver and click OK.
  6. If the Log Decoder is using the trust model, an Add Service dialog is displayed, as shown below:
    AddSrvDataSrc.png
  7. Type the username and password for the Log Decoder, and configure the SSL settings.
  8. Click OK.
    The selected Log Decoder service is listed in the Aggregate Services panel.

(Optional) Configure Meta Filters for Aggregation

Follow this procedure to view and add additional meta items to the Archiver.

Caution: Adding meta items and indexes can drastically change how much data is transported to the Archiver, and will require additional network bandwidth, CPU time, RAM, and disk space to process. 

  1. To view the current meta items, in the Aggregate Services panel, select the Log Decoder service and click ic-info.png in the Meta Include field.
    ViewMetaFilters.png
  2. To add additional meta items, select the Log Decoder service and click ic-edit.png.
    EditAggSrvDb.png
  3. In the Edit Aggregate Service dialog, select the meta items to include in the Meta Include list. For example, you may want to consider including ip.srcport, tcp.srcport, udp.srcport, msg, url, query, bytes, alias.host, ip.dst, ip.dstport, ip.src, tcp.dstport, megabytes, time, and event.desc. 
  4. Click Save and then click Apply.
  5. See Add Index Entries for Archiver Reporting below for information on how to index the additional meta keys.

(Optional) Add Index Entries for Archiver Reporting

Caution: Adding meta items and indexes can drastically change how much data is transported to the Archiver, and will require additional network bandwidth, CPU time, RAM, and disk space to process. 

The Archiver’s default index configuration only includes value indexes for these keys: 

  • time
  • decoder source (did)
  • destination user account (user.dst), 
  • alert ID (alert.id)
  • device IP (device.ip)
  • source IP address (ip.src)
  • destination IP address (ip.dst)
  • event description (event.desc)
  • device class (device.class)
  • medium
  • object name (obj.name) 

For information on customizing this list, see Index Customization in the Security Analytics Core Database Tuning Guide.

You are here: Configure Archiver > Step 2: Add Log Decoder as a Data Source to Archiver

Attachments

    Outcomes