RSA enVision^® Discussions

RSAAdmin · ‎2010-12-15

Granted, I haven't parsed every single rule, but I've parsed the ones that trigger the most.

I've validated it using the 1.1.1 version of the integrator and everything parses.

I install it to envision, and it ignores it.

I've attempted to force it to use the ossec device, but it just ends up generating a new unkown entry.

I've attached my deployment package. The version of OSSEC I'm using is the latest version available on the website.

2.5.1

Any help would be greatly appreciated.

RSAAdmin · ‎2010-12-16

Hi, I am on the OSSEC team so maybe I can help.

I am new to Envision and have no UDS experience yet, but my first thought is: are you trying to parse the alerts log format or OSSEC syslog output? I imagine the latter would be easier to work with.

RSAAdmin · ‎2011-01-11

Were you able to resolve this? I'm interested to know what the outcome was.

RSAAdmin · ‎2011-01-11

Aixia,

Can you please post an lsdata dump of the OSSEC logs from enVision?

Scrub it if you have to, but it makes it a lot easier for the community to assist if you can provide logs to compare against.

Thanks!

RSAAdmin · ‎2011-05-12

Hi Aixia,

Can u run the following lsdata command and share the ossec logs that are reporting in unknown category so that I can help you.

I already have created an UDS for ossec and they have are working fine for me.

Command:

lsdata -events Syslog -time [start_time] [end_time] -devices Unknown:device_ip

start_time & end_time : sample time duration. Time format YYYYMMDDHHMMSS

device_ip : Ossec device IP that got recognised as unknown.

RSAAdmin · ‎2011-07-19

Just wanted to update this - ossec is now offered via envision (as of January of this year) - so I no longer am attempting to create a UDS for it.

Thank you

RSA enVision® Discussions

Created UDS for OSSEC, it validates fine, but envision won't use it.

RSA enVision^® Discussions