Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000034768 - Issue collecting winevent_snare logs on RSA NetWitness Virtual Log Collector (VLC)

Document created by RSA Customer Support

on Feb 23, 2017•Last modified by RSA Customer Support on Apr 11, 2018

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000034768
Applies To	RSA Product Set: NetWitness Logs and Packets RSA Product/Service Type: NetWitness Logs and Packets RSA Version/Condition: 10.6.and above Product Description: NetWitness Logs and Packets
Issue	The snare logs being sent to the Virtual Log Collector come in as undefined or as a completely different device type. There is no issue with snare logs being sent directly to the log decoder.
Cause	It appears that the tabs in the snare logs are being identified as spaces. Winevent_snare now supports tab delimited logs with the latest parser.
Resolution	The fix is to remove the highlighted item on the Virtual Log Collector in question (please see screenshot). Note: If UDP is configured on Snare Source instead, then the changes on the syslog-udp need to be made. See below : Then restart nwlogcollector service after making above changes.

Attachments

Outcomes

0 Comments

Recommended Content