Parse kiwi syslog
Currently the customer log sources are first sending the logs to a Kiwi syslog forwarder, before forwarding the logs to the VLC. At the SA Head UI, the logs being seen are all via one device ip. The analysts are creating correlation rules based on event source grouping. ( below is the diagram of the traffic flow).
Can we do a Parse to solve the issues single device IP or there are some configuration that need to be done to resolve this issues?
- Community Thread
- Forum Thread
- RSA NetWitness Endpoint
- RSA NetWitness Platform
Are you seeing the original device ip address in Netwitness collected logs?
If not, Please enable "Retain the original source address of the message" option is checked.
Reference: Kiwi Syslog Server
If you are able to see the original IP address, it will be easy to tweak the parsers.
Have you configured the Kiwi Software to spoof the packets(this requires winpcap to be loaded) ? This only works with UDP however, as far as I know.
Can you also comment on, why Customer prefers to use a relay in between and not send it to LD/VLC directly? The original log in the format accepted by NW should be forwarded by the relay. And the IP of the relay (Kiwi SYslog Server) should be captured in forward.ip ideally.
The customer want to consolidate all the event and use a single point to send it to the VLC.
Then if i need to do grouping base on device group I cannot use the source device/ or source IP?