This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2014-11-13 07:23 PM

Unable to Extract winevent_nic Logs using lsdata utility

Hi,

Recently we integrated few windows 2008 servers using "Windows Eventing Collector service", I am able to see the logs in the Analysis tab and in query, But i am unable to extract the logs using lsdata specifying the IP address of the device in the command.

 

Thanks

Ramesh

0 Likes
Reply
8 Replies
RSAAdmin
Beginner
Beginner
‎2014-11-17 11:12 AM

Could you please share the screenshot of the events that you can see using the Analysis tab?

 

Also, could you please share the complete lsdata command you are using to extract the logs along with the output or any error message you get when you run lsdata?

 

What kind of enVision setup do you have? ES? LS? EA? Where are you running the lsdata command?

 

Thanks,

Susam

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2014-11-17 11:15 AM

Hi Susan,

 

Its EA setup and I am running the command at Bin folder

E:/nic/4100..../bin/lsdata...

 

Thanks

Ramesh

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2014-11-17 11:18 AM

Hi Ramesh,

 

On which system are you running the lsdata command? LC? DSRV, ASRV? lsdata command is supposed to be run on DSRV only.

 

Also, could you please provide the other information I requested in my previous comment.

 

By the way, I am "Susam". It ends with "m", not "n'.

 

Thanks,

Susam

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2014-11-17 11:20 AM

The command is

lsdata -d -0 -time c:\output.text

 

I am getting all the logs.

 

Thanks

Ramesh

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2014-11-17 11:22 AM

I am running the command on D server I can see the security logs in

analysis tab, but I failed to extract those using lsdata utility.

 

Thanks

Ramesh

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2014-11-17 11:43 AM

The command you have specified is: lsdata -d -0 -time c:\output.text

 

This is not a valid lsdata command. This won't return results.

 

A valid lsdata command would look somewhat like this: lsdata -d 0 -time start end -devices 10.0.0.1

 

You may also use a device type instead of device address, so something like this would also work: lsdata -d 0 -time start end -devices winevent_nic

 

Of course, you'll have to replace 10.0.0.1 with the IP address of the device from which the Windows events are being collected.

 

Could you please share the complete and exact lsdata command you are using to extract the logs along with the output or any error message you get when you run lsdata?

 

I'll need the lsdata command as well as any error messages you are getting while trying to get winevent_nic logs.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2014-11-18 05:37 AM

Hi Susam,

 

I am not receiving any error.Please find the below command where i am specifying the device IP address at -devices "device ip" and the result is only application logs but not any security logs.

 

E:\nic\4100\.....\bin>lsdata -d 0 -time 201411140200 201411140400 -devices "10.164.2.127" >C:\output.txt

 

When i run the below command specifying the device type and the Device IP i am able to see the security logs in the output file.

 

E:\nic\4100\.....\bin>lsdata -d 0 -time 201411140200 201411140400 -devices "winevent_nic:10.164.2.127" >C:\output.txt

 

Thanks

Ramesh

0 Likes
Reply
DelfinAbzueta
Beginner
Beginner
In response to RSAAdmin
‎2014-11-19 09:05 AM

Ramesh

 

I usually use the following command in D-SRV:

 

lsdata -events Syslog -time 20140901000000 20140930000000 -devices winevent_nic:192.168.0.1 > data_file.txt

 

NOTE: The IP address is just an example.

 

If with this you only get Application logs data, please check in your [Monitored] Windows server the configuration of Local Security Setting---> Local Policies ----> Audit Policy to check what kind of information are you logging.

 

And please, please, please, If you want to get help, please provide evidences.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.