The Log Collector discovers event source type on a per-message basis. If the correct parser is not used for the specific event source, the messages that are common between event source types are misclassified. The misidentified messages will not populate service rules and alerts, and the reports will not have proper information. Also, if there are multiple services associated with an IP address, it can be difficult for the parsers to identify the exact service from which the log is generated.
If you map an IP address to its services, the log decoder can identify the service from which the log is generated. When messages come into the log decoder from a mapped service, the assigned parsers are loaded to find event matches.
You can assign service types to IPV4, IPV6 or hostname value of the event source.You can also assign multiple service types to a single IP address. You can also use the CollectorID when different service types with the same IP address are sent to different collectors.
To map an IP address to a service type, do the following:
- In the Security Analytics menu, select Administration > Services.
- In the Services view, select a Log Decoder, and in the Actions column, select > View > Explore.
- Go to /decoder/parsers node, right-click parsers, and select Properties.
- In the Properties view, specify the ipdevice command with the following parameters:
op=edit entries="+/-ipaddress=service”reload=true (for example, op=edit entries="+10.100.201.300=ciscoasa" reload=true)
- Click Send.
In the ipdevice command, two operations are available:
- Edit: You can use this operation to add and delete entries in the ipdevice map.
- To add an entry, specify:
+<IP value> = <service type>
- To delete an entry, specify:
-<IP value> = <service type>
- To add an entry, specify:
- Describe: This operation returns the values currently in the ipdevice map.
You need to reload the parser after editing the ipdevice map using reload=true command. However, this should not be done after each entry, but only at the end of the task. You can also override an existing configuration by editing the value. The new value takes effect after reloading the parser.
Security Analytics maps the IP address to the service types in the log decoder.
The following examples provide different instances for mapping IP address to service types:
- If you want to map two different entries with different IPV4 values and service types, enter the following parameter in the ipdevice command and click Send.
op=edit entries=”+10.5.245.9=ciscoasa +10.5.245.45=vmware_vcloud”
- If you want to remove an entry for a single IPV4 value and service type, enter the following parameter in the ipdevice command and click Send.
- If you want to create a single entry for an IPV6 value and service type, enter the following parameter in the ipdevice command and click Send.
op=edit entries=”+ 2001:0db8:85a3:0000:0000:8a2e:0370:7353=vmware_esx_esxi"
- If you want to create a single entry for a single IPV4 value that has two service types and send each service type to different collectors, enter the following parameter in the ipdevice command and click Send.
op=edit entries="+10.168.0.2,nwappliance20819=rhlinux +10.168.0.2,nwappliance3014=apache"
- If you want to create an entry for a single hostname with two different service types and load the parser, enter the following parameter in the ipdevice command and click Send.
op=edit entries=”+RS214Server-2=rhlinux,apache” reload=true