This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2009-12-28 12:32 PM

Windows Event Logs - Import existing logs

We are thinking about adding a specific group of Windows workstations to be monitored in enVision. Is it possible to have all existing logs on the workstations added to enVision as well? I am familiar with using lsmaint -rebuild to add events already in enVision to a device that, for instance, was removed as a monitored device then added again. However, I am not familiar enough with the entire process that enVision follows to take the data from log format to the point it is added to the database. Is there a way to either make enVision grab the existing logs from the source? Or perhaps convert the current event logs on the Windows workstations to some other format and import them in a different manner?
0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2009-12-29 03:26 PM

I'm not aware of any easy way to extract the logs into the proper format for injection back into enVision.

 

Obviously if you are using an agent (Snare or EventReporter) then you can configure those agents accordingly.  However I will point out that enVision treats these as seperate devices.  So if you start with say Snare and then move to the agentless collector, you will see two devices listed for the same system.

 

I will raise this idea with development team that's working on the new Windows event collector service to see if they can make this a configurable option within the gui.

 

 

 

 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.