File Collection: Step 1. Configure Event Sources in SA

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Jul 28, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells you how to configure File event sources in Security Analytics.

After completing this procedure, you will have...

  • Configured File collection for an event source in Security Analytics.
  • Modified File collection for an event source in Security Analytics.
  • Verified that the correct parser has been enabled on the Log Decoder to parse the log events from the new event source.

Return to Procedures

Procedures

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select File/Config from the drop-down menu.
  5. In the Event Categories panel toolbar, click Icon-Add.png.
    FileAvailESTypes.PNG
  6. Select an event source type (for example, emc_symmetrix) and click OK.
    The newly added event source type is displayed in the Event Categories panel.
  7. Select the new type in the Event Categories panel and click Icon-Add.png in the Sources toolbar.
    The Add Source dialog is displayed.
  8. Add a File Directory name and modify any other parameters that require changes.
  9. To get the public key and enter it into the dialog box, do the following:
    1. Select and copy the public key from the Event Source by running: cat ~/.ssh/id_rsa.pub
    2. Paste the public key in the Eventsource SSH Key field.
  10. Click OK.

You need to restart file collection for your changes to take effect.

Stop and Restart File Collection

After you add a new event source that uses file collection, you must stop and restart the Security Analytics File Collection service. This is necessary to add the key to the new event source.

Modify File Collection for Event Source in Security Analytics

To modify an event source:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNG under Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select File/Config from the drop-down menu.
  5. Select an event source type (for example, emc_symmetrix) from the Event Categories panel and click OK.
  6. In the Sources panel, select an event source and click icon-edit.png.
    The Edit Source dialog is displayed.
  7. Modify the parameters that require changes and click OK.
    FileEditSource.PNG
  8. Security Analytics applies the parameter changes to the selected event source.

Parameters

File Collection: Configuration Parameters

Previous Topic:Procedures
You are here
Table of Contents > File Collection Protocol Configuration Guide > Procedures > Step 1. Configure File Event Sources in Security Analytics

Attachments

    Outcomes