How to forward the row logs from RSA SA Netwitness SIEM to Logrhythm?
We have below architecture flow for RSA SA SIEM logging.
End device >> VLC >> Log Hybrid >> Archiver >> ESA >> SA
We wanted to forward the row logs of the end devices (which comes to RSA SIEM) to Logrhythm SIEM.
While some of the end devices do have the option to enable syslog for multiple destinations but not all of them.
I referred below documents but not really sure if it serves the requirement.
It says that logs of "syslog devices" can be forwarded from Log decoder to the other Syslog server. But what about the other event sources like windows, DBs etc.
Any suggestion/help around this would be much appreciated
The reason that syslog can be forwarded easier than, lets say, Windows or ODBC, is because of the way the logs are collected. Syslog is essentially a standard formatted log sent via UDP or TCP to port 514. The Syslog listener accepts whatever is received on port 514. Forwarding them onto another syslog device is relatively simple because that device is also listening on port 514 and will receive them. In both cases, the log processing device is expecting a syslog formatted log and can parse or process the log accordingly.
With other types of logs such as Windows or Databases, the log processing device is receiving them via another collection method, in Windows it would be WinRM or with Datbases, it might be ODBC or some form of sftp file transfer. In each case, the log processing device "knows" what it is expecting through the systems internal configuration parameters.
In order to send non-syslog event sources from Netwitness to a third-party would require Netwitness to fully support the method the third-party log processing device is expecting for that log source.
Thanks for the detailed response.
Also wanted to ask you when we are talking about "syslog" forwarding (since it's supported) from Log decoder to the other third-party SIEM, will that be row log forwarding or RSA modified version of the log forwarding?
Sorry for the delayed response. The log's header would have the originating device ip address as the Netwitness Log Decoder.
Is this any way to include raw message as a part of forwarding alertsin CEF or other format?
May be we can forward raw messages, exporting them via api and then forwarding by some syslog daemon?
I know, the will not be clear "raw",but at least they will include all data, noot the one, thatwe chose to be parsedby NW.