Information regarding log sources
Is it possible to create ad hock (or daily) report or dashboard where we can see log sources: host names , ip adressess , device type etc.. which are sending logs or packets to the Netwitness in the last 24 hours?
Is that mechanism already developed by RSA Netwitness team?
- Community Thread
- Forum Thread
- log sources info
- RSA NetWitness
- RSA NetWitness Platform
Yes, it is possible to have a report like that. In Netwitness when you receive a log, it will have either the device.host (usually some kind of server) or the device.ip (often network devices) meta filled. If you make 2 report rules (one for hosts and one for IP) you can make a report and schedule it according to your needs.
The rules are just a simple "device.host exists" and "device.ip exists" summarized by Event Count.
Depending on your enviroment, you might need to use brokers insted of concentrators as the data sources.
In our enviroment we something similar to track monthly logcollection changes: new sources, inactive sources, etc.
Ps.: It's nice to see a familiar name here