Decoder: Configure Event Source Mapping

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells administrators how to configure event source mapping on a Log Decoder.

The Log Collector discovers the event source type on a per-message basis. If the correct parser is not identified for the event source, the messages common to the same event source types are misclassified. The misclassified messages do not populate event source rules and alerts, and the reports do not have the correct data. If there are multiple event source types associated with an IP address, it makes it difficult for the parsers to identify the exact event source from which the logs are generated.

If you map an IP address to its event source type, the Log Decoder can identify the event source from which the log is generated. When messages are delivered to the Log Decoder from a mapped event source, only the assigned parsers are queried to find event matches.

You can assign event source types to IPV4, IPV6, or the hostname value of the event source. You can also assign multiple event source types to a single IP address. You can also use the Log Collector ID when different event source types with the same IP address are sent to different Log Collectors.

Update IP to Event Source Mapping

To update an IP to event source mapping:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder, and in the Actions column, select Actions menu cropped> View > Config.

    The Services Config view is displayed.

  3. Select the Parsers Mapping tab.

    The Parser Mappings tab is displayed.



  4. Clickic-add.png.

    The Mapping Editor is displayed.

  5. Any of the following mappings can be defined:

    • One Host and One Event Source Type
      - In the Host field, enter the hostname.  
        For example: 10.0.0.1
      - In the Event Sources(s) field, enter the event source type.
        For example: apache
    • One Host and One or More Event Source Types
      - In the Host field, enter the hostname.
        For example: 10.0.0.1 
      - In the Event Source(s) field, enter the event source type. 
        For example: apache,sap,aix
    • One Host, One Log Collector, and One Event Source Type
      - In the Host field, enter the hostname and Log Collector ID.  
        For example: 10.0.0.1,LC-1.
      - In the Event Source(s) field, enter the event source type.
        For example: apache
    • One Host, One Log Collector ID, and One or More Event Source Types
      - In the Host field, enter the hostname and Log Collector ID.
        For example: 10.0.0.1,LC-1
      - In the Event Source(s) field, enter the event source type.
        For example: apache,sap,aix

    Note: The event source types are processed in the order you enter the parsers and if one or more parsers matches a log, the first parser in the list is queried. The Host/IP can be IPv4, IPv6, or Hostname.

  1. Click OK.

    The Parser Mapping is added.

  1. To cancel the parser mappings selection, click Cancel.

Read IP to Event Source Type Mappings

To read an IP to event source type mappings:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.

    The Services Config view is displayed.

  4. Select the Parsers Mapping tab.

    The mappings are displayed.


Edit an IP to Event Source Type Mapping

To edit an IP to event source type mapping:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.

    The Service Config view is displayed.

  4. Select the Parser Mappings tab.
  5. Select the mapping you want to edit.

    Note: You can only edit one mapping at a time.

  6. Click ic-edit.png
  7. In the Event Source(s) field, modify the event source(s).

    Note: The host is not editable and the field is disabled.

  8. Click OK to accept the edited Event Source.
  9. To cancel the changes, click Cancel.

Delete an IP to Event Source Type Mapping

To delete an IP to event source type mapping:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.

    The Service Config view is displayed.

  4. Select the Parser Mappings tab.
  5. Select the mapping you want to delete.
  6. Click ic-delete.png.

    The mapping is deleted and the grid is refreshed.

  7. To cancel the changes, click Cancel.

Sort the Hostname or Event Source Type

To sort the hostname or event source type:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.

    The Service Config view is displayed.

  4. Select the Parser Mappings tab.
  5. To sort a column, click in the column header.

Event Source Type(s) are applied for your selected IP address. Logs are parsed against the parsers in the order they are listed.

Import IP to Event Source Mapping Entries

To import IP to event source mapping entries:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.

    The Service Config view is displayed.

  4. Select the Parser Mappings tab.
  5. Select Actions > Import.

    The Import dialog is displayed.

  6. Click ic-add.png.
  7. Select the file you want to import and click OK.
  8. To load the parser, click Import.

Note: You can only import one .csv file at a time.

Export IP to Event Source Mapping Entries

To export IP to event source mapping entries:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.

    The Service Config view is displayed.

  4. Select the Parser Mappings tab.
  5. Select the mappings you want to export.
  6. Select Actions > Export > Selection.

    The Export Selection dialog is displayed.

  7. Enter the file name and click Export.

Search IP to Event Source Mapping Entries

To search IP to event source mapping entries:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Decoder service.
  3. In the Actions column, select Actions menu cropped > View > Config.

    The Service Config view is displayed.

  4. Select the Parser Mappings tab.
  5. In the Parsers Mappings toolbar, enter the Host or Event Source in the Filter field.
  6. Click Enter.

    The Hosts or Event Sources that match the names entered in the Filter field are displayed.

You are here
Table of Contents > Additional Procedures > Enable Event Source Mapping

Attachments

    Outcomes