000034768 - Issue collecting winevent_snare logs on RSA NetWitness Virtual Log Collector (VLC)

Document created by RSA Customer Support Employee on Feb 23, 2017Last modified by RSA Customer Support on Apr 11, 2018
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034768
Applies ToRSA Product Set: NetWitness Logs and Packets
RSA Product/Service Type: NetWitness Logs and Packets
RSA Version/Condition: 10.6.and above
Product Description: NetWitness Logs and Packets
IssueThe snare logs being sent to the Virtual Log Collector come in as undefined or as a completely different device type. There is no issue with snare logs being sent directly to the log decoder. 
CauseIt appears that the tabs in the snare logs are being identified as spaces. Winevent_snare now supports tab delimited logs with the latest parser.
ResolutionThe fix is to remove the highlighted item on the Virtual Log Collector in question (please see screenshot).

User-added image

Note: If UDP is configured on Snare Source instead, then the changes on the syslog-udp need to be made. See below :

User-added image

Then restart nwlogcollector service after making above changes.