Endpoint Integ: Configure Endpoint Alerts via Syslog into a Log Decoder

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Jun 15, 2018
Version 14Show Document
  • View in full screen mode
 

You can configure the use of RSA NetWitness Endpoint data in RSA NetWitness Suite to provide NetWitness Endpoint alerts through Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Suite Investigation, Alerts, and Reporting Engine.

For NetWitness Suite networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness Suite pushes NetWitness Endpoint events to the Log Decoder through common event format (CEF) syslog messages and generates metadata that is used by NetWitness Suite Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness Suite reporting on NetWitness Endpoint events, and NetWitness Suite alerting of NetWitness Endpoint events.

Prerequisites

The following are required for this integration:

  • Version 4.3.0.4, 4.3.0.5, 4.4, 4.4.0.2, or later NetWitness Endpoint UI.
  • NetWitness Server Version 11.1 is installed.
  • Version 10.4 or later RSA Log Decoder and Concentrator connected to the NetWitness Server in the network.
  • Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.

Procedure

  1. Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see Services Config View - General Tab.

Note: Use only one of these parsers. When the CEF parser is deployed, it supersedes the NetWitness Endpoint parser, and all CEF messages into NetWitness Suite are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure NetWitness Endpoint to send syslog output to NetWitness Suite and generate NetWitness Endpoint alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness Suite.

Configure NetWitness Endpoint to Send Syslog Output to NetWitness Suite

To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:

  1. Open the NetWitness Endpoint user interface and log on using the proper credentials.
  2. From the menu bar, select Configure > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

  3. In SYSLOG Server, click Add Icon.

    The SYSLOG Server dialog is displayed.

    Syslog Server Dialog

  4. In the NetWitness Suite panel, in On, enter the descriptive name for the Log Decoder.
  5. In the Syslog Connection panel, perform the following to enable Syslog messaging:

Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.

  1. Click Save.
  2. Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.

    Instant IOCs Endpoint

When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

You are here
Table of Contents > Configure Endpoint Alerts via Syslog into a Log Decoder

Attachments

    Outcomes