000034495 - Malware Analysis Audit log Max Length not working on RSA Netwitness

Document created by RSA Customer Support Employee on Dec 2, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034495
Applies ToRSA Product Set: Netwitness for Packet
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.3, 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6
 
IssueAlthough Max Length(default : 2048 bytes) is set to higher value. MA audit log is truncated to a certain length.
CauseSyslog receiver has a parameter for Max Length of the received message.
 
ResolutionCustomer needs to extend the Max Length of the received message for Receiver module(eg. rsyslog). Please refer to the syslog receiver documentation.
Notes

Test to inject the same pcap twice to Netwitness.


  • 1st attempt : Set Identity String on Malware Analysis > Config page to SACE6942
  • 2nd attempt : Set Identity String on Malware Analysis > Config page to SACE6942_LONGERIDENTITY_STRING  

Regardless of the length of the Identity String, the receiver(rsyslog 5.x) truncates the message to 2K (default value for rsyslog 5.x) which is ending to the same position.


User-added image



Reference) rsyslog
http://www.rsyslog.com/doc/v5-stable/configuration/global/index.html?highlight=maxmessagesize


$MaxMessageSize <size_nbr>, default 2k
 

Attachments

    Outcomes