This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-03-21 08:48 PM

ESI and Additional Windows messages

Hi,  I am trying to report/alert on user access via Citrix Secure Gateway (CSG).  The CSG server has its own Event Log within windows and I have added it to envision through event log strings etc, I can see the specific events in message viewer and have exported logs via LSDATA successfully so that I can utilise them in ESI.

 

To this date I have been trying to add a new device, to Envision which has not worked so far,  so my question is, should I be modifying the existing Windows XML files to include support for the Citrix events or should this be a new device.

 

any help appreciated  

0 Likes
Reply
10 Replies
RSAAdmin
Beginner
Beginner
‎2011-03-21 09:20 PM

Personally, I would make it a separate event source.  Although it comes from the Windows event log, it is not an actual  "Windows" log.

 

Just bear in mind that you will need to set the original winevent(nic) event source as a "Multi Device" so that the CSG logs can be discovered as a separate entity.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-21 10:37 PM

that is my preference, but I just cannot seem to get envision to recognise new devices through ESI even though they parse correctly.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-22 02:13 AM

Ok,  I have tried it both ways,  I created a new device called csg_access.  I added it to envision etc, restarted, but no new device.  Then I added the XML messages to the bottom of the windows nic xml file, restarted servers etc, and suddenly I can report on citrix access..

 

I have attached the XML forthe device I am trying to add, can anyone tell me if there is something wrong here ?

 

tks

Preview file
2 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-22 07:55 AM

At face value the XML looks OK, but it is impossible to say for sure where any error might be occurring without a sample log file. 

 

Can you post a scrubbed version of an lsdata sample dump of these messages?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-22 06:13 PM

here it is

csg.unx
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-24 10:26 AM

Darren,

 

I finally got to test this out this morning, and it appears to work fine.

 

I had no issues setting up your event source file or injecting the data.  It discovered just fine and the query results in the Windows Accounting table showed up as expected.  Please see attached screenshots.

 

I made no changes to anything you did except that I had to build the device.ini file manually as it was not provided.

 

Matt

Preview file
121 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-24 10:37 AM

One other screenshot I forgot to add... this just shows the discovered device

Preview file
104 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-24 10:42 PM

Matt,

 

thanks for testing it, not sure why it does not wokr on my system. Can you flick me the ini file you created so I can compare with the one I have.

 

regs,

 

darren

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-03-25 06:58 AM

Attached

 

This shouldn't make any real difference, though.

csg_access.ini
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.