RSA enVision^® Discussions

RSAAdmin · ‎2010-09-15

Is it possible to compare logs from two different systems?

Specifically looking to compare RSA DLP log events and Cisco Ironport ESA logs. I would like to be able look in the RSA DLP Logs for an incident, then looking for the same To, From, and Subject to find the message ID of that message in Ironport. Then to check whether that Message was sent with TLS or not.

RSAAdmin · ‎2010-10-13

Hello CRaymond53,

Yes, you can absolutely do this, and Event Explorer will be your tool of choice for this forensic task! There are a multitude of ways to do this, but here's an easy one:

1) Set up an event trace that returns all events for your DLP and the Ironport ESA devices in a specified time range.

2) Run the event trace, and in a standard table filter for the string you wish to compare in the Message column.

You will then get all results matching your query and can then cross-refernce the Message ID in the appropriate column!

I hope that helps.

RSAAdmin · ‎2011-09-15

CRaymond, did you manage to master this particular task? We have exactly the same situation with RSA DLP and Ironport. We have a known list of TLS-Required domains, and offer TLS to anyone else that wants to use it. A report would be even more useful, showing which DLP Incidents were using TLS so we can properly close them out, and pursue required-TLS for appropriate domains.

RSA enVision® Discussions

Comparing logs from two systems

RSA enVision^® Discussions