ESM: Create an Event Source and Edit Attributes

Document created by RSA Information Design and Development on Mar 22, 2017
Version 1Show Document
  • View in full screen mode
  

You can organize your event sources into groups. You do this by entering values for various attributes for each event source. For example, for all of your high priority event sources, you could set the Priority to 1. You can see details about the available attributes on the Manage Event Source Tab.

The following figure shows an example of the Event Sources panel:

esm_manage.png

Event source attributes are a combination of auto-populated and user-entered information. When an event source sends log information to Security Analytics, it is added to the list of event sources, and some basic information is auto-populated. At any time after that, users can add or edit details for other event source attributes.

Mandatory Attributes

The following identification attributes are handled specially: IP, IPv6, Hostname, Event Source Type, Log Collector, and Log Decoder. If you create an event source manually, you can enter these values. Once you save the event source, these values can no longer be changed.

Event sources can also be auto-discovered; any event source that sends messages to the Log Decoder will be added to the list of event sources. If you edit the attributes for an auto-discovered event source, you cannot edit any of these fields.

Note that not all of these fields are mandatory. To uniquely identify an event source, the following information is required:

  • IP or IPv6 or Hostname, and
  • Event Source Type

Additionally, RSA Security Analytics uses a hierarchy for IP, IPv6, and Hostname. The order is as follows:

  1. IP
  2. IPv6
  3. Hostname

If you enter event sources manually, then you need to keep this order in mind, otherwise, you may end up with duplicates when messages are received from the event sources that you manually added.

All other attributes (such as Priority, Country, Company, Vendor, and so on) are optional. 

Create an Event Source

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Manage tab.
  3. In the Event Sources panel, click 104ApplAdd.png to open the details screen, which contains all of the event source attributes.

    The Manage Event Source Tab is displayed.

  4. Enter or change the values for any attributes.
  5. Click Save.

Update Attributes for an Event Source

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Manage tab.
  3. In the Event Sources panel, select an event source from the list.
  4. In the Event Sources panel, click 104ApplEdit.png to open the details screen, which contains all of the event source attributes.

    The Manage Event Source Tab is displayed.

  5. Enter or change the values for any attributes, except for certain attributes that cannot be altered once entered.
  6. Click Save
You are here
Table of Contents > Manage Event Source Groups > Create an Event Source and Edit Attributes

Attachments

    Outcomes