Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint Integ: Configure Endpoint Alerts via Syslog into a Log Decoder

Document created by RSA Information Design and Development Employee on Sep 15, 2017Last modified by RSA Information Design and Development Employee on Sep 4, 2020
Version 21Show Document
  • View in full screen mode

You can configure the use of RSA NetWitness Endpoint data in RSA NetWitness Platform to provide NetWitness Endpoint alerts through Syslog into Log Decoder sessions. This generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine.

For NetWitness Platform networks that are consuming logs, this integration of NetWitness Endpoint with NetWitness Platform pushes NetWitness Endpoint events to the Log Decoder through common event format (CEF) syslog messages and generates metadata that is used by NetWitness Platform Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of NetWitness Endpoint events with other Log Decoder data, NetWitness Platform reporting on NetWitness Endpoint events, and NetWitness Platform alerting of NetWitness Endpoint events.


The following are required for this integration:

  • Version,, 4.4,, or later NetWitness Endpoint UI.
  • NetWitness Server Version 11.1 is installed.
  • Version 10.4 or later RSA Log Decoder and Concentrator connected to the NetWitness Server in the network.
  • Port UDP- 514 or TCP - 1514 open from NetWitness Endpoint server to Log Decoder in the firewall.


  1. Deploy the required parser (CEF or rsaecat) to the Log Decoder as described in the "Manage Live Resources" topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, see "Services Config View - General Tab" in the Malware Analysis Configuration Guide.

Note: Use only one of these parsers. When the CEF parser is deployed, it supersedes the NetWitness Endpoint parser, and all CEF messages into NetWitness Platform are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure NetWitness Endpoint to send syslog output to NetWitness Platform and generate NetWitness Endpoint alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to NetWitness Platform.

Configure NetWitness Endpoint to Send Syslog Output to NetWitness Platform

To add the Log Decoder as a Syslog external component and generate NetWitness Endpoint alerts to the Log Decoder:

  1. Open the NetWitness Endpoint user interface and log on using the proper credentials.
  2. From the menu bar, select (Configure) > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

  3. In SYSLOG Server, click Add Icon.

    The SYSLOG Server dialog is displayed.

    Syslog Server Dialog

  4. In the NetWitness Platform panel, in On, enter the descriptive name for the Log Decoder.
  5. In the Syslog Connection panel, perform the following to enable Syslog messaging:

Server Hostname/IP = The hostname DNS or IP address of the RSA Log Decoder
Port = 514
Transport Protocol = Select UDP or TCP as appropriate for your Syslog server for the transport protocol.

  1. Click Save.
  2. Open the InstantIOCs window in the NetWitness Endpoint UI and, in the Alertable column, click to enable each IIOC for which you want alerts sent to the Log Decoder.

    Instant IOCs Endpoint

When the instant IOCs are triggered, Syslog alerts from the NetWitness Endpoint server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

Edit the Table Mapping in table-map-custom.xml

In the default RSA table-map.xml provided by RSA, the meta keys in the table-map.xml file are set to Transient. In order to view the meta keys in Investigation, the keys must be set to None. To make changes to the mapping, you must add the entries to the table-map-custom.xml on the Log Decoder.

This is the list of meta keys in table-map.xml.

NetWitness Endpoint FieldsNetWitness Platform MappingTransient in NetWitness Platform
CEF Header Hostname Fieldalias.hostNo
CEF Header Product VersionversionNo
CEF Header Product NameProductYes
CEF Header SeverityseverityYes
CEF Header Signature IDevent.typeNo
CEF Header Signature Nameevent.descNo
Raw MessagemsgYes

The following seven keys are not in table-map.xml; to use these keys in NetWitness Platform you need to add them to table-map-custom.xml, and set the flags to None.

NetWitness Endpoint FieldsNetWitness Platform MappingTransient in NetWitness Platform
Target modulecs.targetmoduleYes
YARA resultcs.yararesultYes
Source modulecs.sourcemoduleYes

Here are the entries to be added to the table-map-custom.xml if required.

<mapping envisionName="cs_represult" nwName="cs.represult" flags="None" envisionDisplayName="ReputationResult"/>
<mapping envisionName="cs_modulescore" nwName="cs.modulescore" format="Int32" flags="None" envisionDisplayName="ModuleScore"/>
<mapping envisionName="cs_modulesign" nwName="cs.modulesign" flags="None" envisionDisplayName="ModuleSignature"/>
<mapping envisionName="cs_opswatresult" nwName="cs.opswatresult" flags="None" envisionDisplayName="OpswatResult"/>
<mapping envisionName="cs_sourcemodule" nwName="cs.sourcemodule" flags="None" envisionDisplayName="SourceModule"/>
<mapping envisionName="cs_targetmodule" nwName="cs.targetmodule" flags="None" envisionDisplayName="TargetModule"/>
<mapping envisionName="cs_yararesult" nwName="cs.yararesult" flags="None" envisionDisplayName="YaraResult"/>

Note: Restart the Log Decoder or reload the log parsers for the changes to take effect.

Configure the NetWitness Suite Concentrator Service

  1. Log on to NetWitness Platform and go to (Admin) > Services.
    1. Select a Concentrator from the list and select View > Config.
  2. Select the Files tab, and from the Files to Edit drop-down list, select index-concentrator-custom.xml.
  3. Add the NetWitness Endpoint meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them.
  4. Restart the Concentrator.
  5. To add the Concentrator as a data source in the Reporting Engine, in the (Admin) > Services view, select the Reporting Engine and Select View> Config > Sources.
    NetWitness Endpoint meta is populated in Reporting Engine, and you can run reports by selecting the appropriate meta keys.


Note: The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in NetWitness Platform Investigation.
level is "IndexValues"
name is the NetWitness Endpoint meta key name from the table below

<key description="Product" format="Text" level="IndexValues" name="product" valueMax="250000" defaultAction="Open"/>
<key description="Severity" format="Text" level="IndexValues" name="severity" valueMax="250000" defaultAction="Open"/>
<key description="Destination Dns Domain" format="Text" level="IndexValues" name="ddomain" valueMax="250000" defaultAction="Open"/>
<key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>
<key description="Destination Host" format="Text" level="IndexValues" name="host.dst" valueMax="250000" defaultAction="Open"/>
<key description="End Time" format="TimeT" level="IndexValues" name="endtime" valueMax="250000" defaultAction="Open"/>
<key description="Checksum" format="Text" level="IndexValues" name="checksum" valueMax="250000" defaultAction="Open"/>
<key description="Filename Size" format="Int32" level="IndexValues" name="filename.size" valueMax="250000" defaultAction="Open"/>
<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Domain OU" format="Text" level="IndexValues" name="dn" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="ReputationResult" format="Text" level="IndexValues" name="cs.represult" valueMax="250000" defaultAction="Open"/>
<key description="Module Score" format="Text" level="IndexValues" name="cs.modulescore" valueMax="250000" defaultAction="Open"/>
<key description="Module Sign" format="Text" level="IndexValues" name="cs.modulesign" valueMax="250000" defaultAction="Open"/>
<key description="opswat result" format="Text" level="IndexValues" name="cs.opswatresult" valueMax="250000" defaultAction="Open"/>
<key description="source module" format="Text" level="IndexValues" name="cs.sourcemodule" valueMax="250000" defaultAction="Open"/>
<key description="Target Module" format="Text" level="IndexValues" name="cs.targetmodule" valueMax="250000" defaultAction="Open"/>
<key description="yara result" format="Text" level="IndexValues" name="cs.yararesult" valueMax="250000" defaultAction="Open"/>
<key description="Protocol" format="Text" level="IndexValues" name="protocol" valueMax="250000" defaultAction="Open"/>
<key description="Event Time" format="TimeT" level="IndexValues" name="event.time" valueMax="250000" defaultAction="Open"/>
<key description="Source Host" format="Text" level="IndexValues" name="host.src" valueMax="250000" defaultAction="Open"/>
<key description="Start Time" format="TimeT" level="IndexValues" name="starttime" valueMax="250000" defaultAction="Open"/>
<key description="Timezone" format="Text" level="IndexValues" name="timezone" valueMax="250000" defaultAction="Open"/>
<key description="Received Bytes" format="UInt64" level="IndexValues" name="rbytes" valueMax="250000" defaultAction="Open"/>
<key description="Agent User" format="Text" level="IndexValues" name="user.agent" valueMax="250000" defaultAction="Open"/>
<key description="Source Bytes" format="UInt64" level="IndexValues" name="bytes.src" valueMax="250000" defaultAction="Open"/>
<key description="Strans Address" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>


Analysts can:

  • Create NetWitness Platform alerts based on NetWitness Endpoint events by configuring NetWitness Endpoint events as an enrichment source.
  • Create ESA rules using NetWitness Endpoint meta as described in the "Add Rules to the Rules Library" topic in the Alerting Using ESA Guide.
  • Report on NetWitness Endpoint events using NetWitness Endpoint meta as described in the "Configure a Rule" topic in the Reporting Guide.
  • View NetWitness Endpoint alerts in NetWitness Respond as described in the "View Alerts" topic in NetWitness Respond User Guide.
  • View NetWitness Endpoint meta keys in Investigation along with standard NetWitness Platform core meta keys as described in the "Conduct an Investigation" topic in Investigation and Malware Analysis User Guide.

You are here
Table of Contents > Configure Endpoint Alerts via Syslog into a Log Decoder