Log Collection File: Step 1: Configure File Event Sources in Security Analytics

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

After completing this procedure, you will have:

  • Configured File collection for an event source in Security Analytics.
  • Modified File collection for an event source in Security Analytics.
  • Verified that the correct parser has been enabled on the Log Decoder to parse the log events from the new event source.

Return toProcedures

Configure File Collection for Event Source in Security Analytics

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select File/Config from the drop-down menu.
  5. In the Event Categories panel toolbar, click Icon-Add.png.
    FileAvailESTypes.PNG
  6. Select an event source type (for example, emc_symmetrix) and click OK.
    The newly added event source type is displayed in the Event Categories panel.
    FileES1.PNG
  7. Select the new type in the Event Categories panel and click Icon-Add.png in the Sources toolbar.
    The Add Source dialog is displayed.
  8. Add a File Directory name, modify any other parameters that require changes, and click OK.
    FileAddSource.PNG
    The new event source is displayed in the list.

Configure the Security Analytics Upload Directories

After you have added and configured the event source using the Security Analytics GUI, you must configure the upload directories correctly.

  1. Change to the /var/netwitness/logcollector directory.
  2. Change the owner of the upload directory to the sftp user:
    chown sftp /var/netwitness/logcollector/upload
  3. Change the group for the upload directory to the sftp user:
    chgrp -R sftp /var/netwitness/logcollector/upload
  4. Ensure the /upload directory has the correct permissions:
    chmod -R 775 /var/netwitness/logcollector/upload
  5. Optional: Set up a cron job to run the script at the time intervals that you wish. If you set up a cron job, make sure to run it as that sftp user.

Stop and Restart File Collection

After you add a new event source that uses file collection, you must stop and restart the Security Analytics File Collection service. This is necessary to add the key to the new event source.

Modify File Collection for Event Source in Security Analytics

To modify an event source:

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select File/Config from the drop-down menu.
  5. Select an event source type (for example, emc_symmetrix) from the Event Categories panel and click OK.
  6. In the Sources panel, select an event source and click icon-edit.png.
    The Edit Source dialog is displayed.
  7. Modify the parameters that require changes and click OK.
    FileEditSource.PNG
  8. Security Analytics applies the parameter changes to the selected event source.

Parameters

References - File Collection Configuration Parameters

You are here: File Collection Protocol Configuration Guide > Procedures > Log Collection File: Step 1: Configure File Event Sources in Security Analytics

Attachments

    Outcomes