Log Collection ODBC: Create Custom Content Typespec for ODBC Collection

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic tells you how to create a custom typespec for the Log Collector. The topic includes:

  • Create Custom Typespec procedure
  • ODBC Collection Typespec Syntax
  • Sample ODBC Collection Typespec File.

Return to Procedures

To create a custom typespec file:

  1. Copy an existing typespec file and save it to the same directory.
    For example, ODBC collection, copy the actividentity.xml file from /etc/netwitness/ng/logcollection/content/collection/odbc and save it under new name in the same directory.
  2. Modify the file according to your requirements.
  3. Restart the log collector.
  4. You will not able to see new device type in Security Analytics until you restart the Log Collector.

ODBC Collection Typespec Syntax

                                                                                           
SyntaxDescription
<?xml version="1.0" encoding="UTF-8"?>Do not modify this line.
<typespec>Do not modify this line.
<name>event-source</name>Event source name. Replace event-source with the name of your ODBC event source (for example, actividentity). Security Analytics displays this name in the Sources panel of the View > Config > Events Sources tab.
<type>odbc</type>  Event source type (file, odbc, windows, etc.).  Do not modify this line.
<prettyName>event-source-name</prettyName>User-defined name for the event source.  You can use the same value as  name (for example, actividentity) or use a more descriptive name.
<version>1.0</version>  Version of this typespec file. Default value is 1.0.
<author>author-name</author>Person who created the typespec file. Replace author-name with your name.
<description>formal-description</description>Formal description of the event source. Replace formal-descriptionwith your description of the event source.
<device>Do not modify this line.
<name>device</name>Replace device with the device information name (for example, ActivIdentity ActivCard AAA Server).
<maxVersion>n</maxVersionReplace n with the version number of the device (for example, 6.4.1).
<description>description</description>Description of the device. Replace description with your description of the device.
</device>Do not modify this line.
<configuration> 
</configuration>
Not used by ODBC collection.
<collection>Do not modify this line.
<odbc>The syntax under <odbc> is used for event collection and processing.  You can provide multiple queries for same eventsource type by adding <query> tags.
<query>Do not modify this line.
<tag>prefix</tag> Replace prefix with the prefix tag you want to add to events during transformation (for example ActivIdentity).
<outputDelimiter>x</outputDelimiter>Specify the delimiter to use to separate fields during transformation.  Specify any of the following values for x:
  ||(piping)
  ^ (caret)
  , (comma)
  : (colon)
  0x20 (for a space)
<interval>n</interval> Specify the number of seconds between events for n. Default value is 60.
<dataQuery>SQL-syntax</dataQuery>Specify the query to fetch data from the ODBC eventsource database for SQL-syntax. For example: SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason, info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate
<maxTrackingQuery>SQL-syntax</maxTrackingQuery>Specify the query to look for new data for SQL-syntax. For example: SELECT MAX(sdate) FROM A_AHLOG
<addressColumn>source-address-col-value
</addressColumn>
Replace the source-address-col-value with the database column value of the source address for each event (for example, serverIPA).
<trackingColumn>col-value</trackingColumn>Replace col-value with the tracking column value when the ODBC collector pulls a new set of events.
</query>Do not modify this line.
</odbc>Do not modify this line.
</collection>Do not modify this line.
</typespec>Do not modify this line.

Sample ODBC Collection Typespec File

-# Sample actividentity typespec , odbc collection

<?xml version="1.0" encoding="UTF-8"?> 

<typespec>

    <name>actividentity</name>                             

    <type>odbc</type>                                      

    <prettyName>ACTIVIDENTITY</prettyName>                 

    <version>1.0</version>                                 

    <author>Administrator</author>                         

    <description>Collects events from ActivIdentity ActivCard AAA Server</description> 

    <device>

        <name>ActivIdentity ActivCard AAA Server</name>    

        <maxVersion>6.4.1</maxVersion>

        <description></description>

    </device>

    <configuration>                                       

    </configuration>

    <collection>

        <odbc>    

            <query>

                <tag>ActivIdentity</tag>              

                <outputDelimiter>||</outputDelimiter>  

                <interval>60</interval>               

                <dataQuery>                            

                    SELECT acceptedrejected, servername, serveripa, sdate, millisecond, suid, groupname, ipa, reason, info1, info2, threadid FROM A_AHLOG WHERE sdate > '%TRACKING%' ORDER BY sdate

                </dataQuery>

                <maxTrackingQuery>                     

                    SELECT MAX(sdate) FROM A_AHLOG

                </maxTrackingQuery>

                <addressColumn>serverIPA</addressColumn>

                <trackingColumn>sdate</trackingColumn>  

            </query>

            <query>

                <tag>ActivIdentity</tag>

                <outputDelimiter>||</outputDelimiter>

                <interval>60</interval>

                <dataQuery>

                    SELECT object, suid, sdate, objname, operation, opdetail, param1, param2, param3, param4 FROM A_AUDIT WHERE sdate > '%TRACKING%' ORDER BY sdate

                </dataQuery>

                <maxTrackingQuery>

                    SELECT MAX(sdate) FROM A_AUDIT

                </maxTrackingQuery>

                <addressColumn></addressColumn>

                <trackingColumn>sdate</trackingColumn>

            </query>

        </odbc>

    </collection>

</typespec>

You are here: ODBC Collection Configuration Guide > Procedures > Step 1: Configure ODBC Event Sources in Security Analytics > Create Custom Content Typespec for ODBC Collection

Attachments

    Outcomes