Article Number | 000034768 |
Applies To | RSA Product Set: NetWitness Logs and Packets RSA Product/Service Type: NetWitness Logs and Packets RSA Version/Condition: 10.6.and above Product Description: NetWitness Logs and Packets |
Issue | The snare logs being sent to the Virtual Log Collector come in as undefined or as a completely different device type. There is no issue with snare logs being sent directly to the log decoder. |
Cause | It appears that the tabs in the snare logs are being identified as spaces. Winevent_snare now supports tab delimited logs with the latest parser. |
Resolution | The fix is to remove the highlighted item on the Virtual Log Collector in question (please see screenshot).

Note: If UDP is configured on Snare Source instead, then the changes on the syslog-udp need to be made. See below :

Then restart nwlogcollector service after making above changes.
|