Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

ESM: Import Event Sources

Document created by RSA Information Design and Development Employee on Sep 6, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 19Show Document
  • View in full screen mode

You can import event source attributes from a CSV-formatted file. To import information from a configuration management database (CMDB), a spreadsheet, or other type of file, first convert or save the information to a CSV file.

Note: The following identification attributes are handled specially: IP, IPv6, Hostname, Event Source Type, Log Collector, and Log Decoder. If you import an event source that includes a different value for any of these fields (when compared with the value in NetWitness Platform), the original value in NetWitness Platform will not be overwritten.

The imported attributes are associated with the matched Event Source and are available for use in rules to create Event Source Groups.

RSA NetWitness Platform treats the import file as the correct, complete record. This assumption leads to the following behaviors related to importing event source attributes:

  • By default, when you import attributes, the system updates attributes for existing event sources only.
  • If the event source exists in the import file, but not in NetWitness Platform, the attributes for that event source are ignored. That is, NetWitness Platform does not create a new event source for these attributes.
  • If the event source exists in both the import file and NetWitness Platform, values for that event source are overwritten.
  • If an attribute is blank in the import file, it clears the corresponding attribute in NetWitness Platform.
  • If an attribute is not specified in the import file, then the corresponding attribute is ignored in NetWitness Platform (that is, it is not cleared).

Note: There is a difference between a blank attribute vs. one that is not specified at all. If an attribute is specified but blank, the assumption is that it is meant to be blank, and NetWitness Platform clears that attribute for the corresponding event source. However, if an attribute is not specified at all, it is assumed that no change is expected.

The above behaviors are the defaults—you can change the behavior as specified in the following procedure.

Import Event Source Attributes

To import Event Source attributes from a file:

  1. Go to (Admin) > Event Sources.
  2. Select the Manage tab.

    The Event Sources Manage tab is displayed.

    Event Sources Manage tab is displayed.

  3. From the Import/Export menu in the toolbar (), select Import ().

    The Import Event Sources dialog is displayed.

    Import Event Sources dialog is displayed.

  4. Navigate to the import file, and select the appropriate boxes:

    • Default: The default behavior is described above.
    • Add only: Imports an attribute only if the corresponding field in NetWitness Platform is blank. Thus, no existing values will be overwritten.
    • Do not clear values: Does not clear attribute values in NetWitness Platform for items in the import file that are blank.
    • Add Unknown Sources: Adds new event sources based on items in the import file.

    Note: You can select multiple options.

  5. Click Import.
  6. Click Yes in the confirmation dialog to perform the import.

Troubleshooting the Import File

If your import file is not formatted correctly, or is missing required information, an error is displayed, and the file is not imported.

Check the following:

  • If you are adding unknown sources, each line in the file must contain a combination of the required attributes:
    • IP or IPv6 or Hostname, and
    • Event Source Type
  • The first line of the file must contain header names, and the names must match the names in NetWitness Platform. To get a list of correct column names, you can export a single event source. Examine the exported CSV file: the first row of the file contains the correct set of attribute/column names.

If your import file is not formatted correctly, or is missing required information, an error is displayed, and the file is not imported.

You are here
Table of Contents > Manage Event Source Groups > Import Event Sources