This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RSAAdmin
Beginner
Beginner
‎2015-08-06 02:19 PM

Inventory Of Machines

Jump to solution

Hello,

 

Does anyone know of a way RSA SA would be able to create a list of hostnames or IP's of machines that are sending logs?

 

I have made a change to 100 Unix machines and want to be sure all 100 machines are sending logs to SA. So, instead of searching each one in SA 1 by 1. Is there a way I can have a list generated, which would display all of the IP's or host names in a single report?

 

I just want to verify that all unix machines are logging to SA. But, I also don't want to query each machine manually 1 by 1.

 

Thanks.

Reply
1 Solution

Accepted Solutions
4 Replies
RobertSadler
Beginner
Beginner
‎2015-08-10 02:08 PM

Jump to solution

I'd create a report, summarize by Event Count and select only device.ip then group by device.ip.  You can narrow down your search by adding to the where clause.

 

This report should give you all the devices that are reporting to SA and tell how many logs per device IP.  If the device isn't logging to SA then the IP will not display on this report.  I actually have this run as a report each morning.  I'll explain.

 

In our setup we have 6 VLC's that report to the LC exclusively.  So my morning report shows how many logs are being sent to the LC (All the VLC's combined) as well as how many logs each VLC collects.  From there, I have a list of the VLC's and all the IP's ordered by log count.  For example...

 

Total logs: 30,000,000

 

Device Name : Log Count

VLC 1: 5,000,000

VLC 2: 5,000,000

VLC 3: 5,000,000

VLC 4: 5,000,000

VLC 5: 5,000,000

VLC 6: 5,000,000

 

VLC1 -

IP address 1 : 1,000,000

IP address 2 : 1,000,000

IP address 3 : 1,000,000

 

VLC2 -

IP address 1 : 1,000,000

IP address 2 : 1,000,000

IP address 3 : 1,000,000


You probably get the point.  I find this to be a pretty useful report.

Hope this helps.

-Rob

Reply
AndyCunningham
Beginner
Beginner
In response to RobertSadler
‎2015-08-17 07:47 AM

Jump to solution

The LogStats tab (Admin->Devices->Log Decoder, Stats View) is anther useful place to check.

 

Andy

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2015-08-17 03:13 PM

Jump to solution

Thank you very much everyone for your help.

 

I really appreciate it a lot.

 

What worked for me the best was what Yohann posted above.
The document posted actually let's you pick the event source. And, then allows you to export it as a CSV file.

 

 

So, this is going to really help when it comes down to auditing to see which machines are sending logs to SA.

 

Thanks again for all the help!

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.