Log Collector with multiple Syslog Ports
I have a little question, let's say we have a Log Collector with two syslog ports as receivers, is any way to put in a meta of the event on which of those two ports the event was received?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
- syslog logs
- syslog port
Currently there is no built-in Log Decoder feature that will identify the port a log message was received on.
I have heard that RSA Engineering is considering something like this as a possible feature for the future, though no confirmation if it will ever happen.
If you want to add your request/comments for this feature to be considered, please submit an idea on the RSA Ideas for the RSA NetWitness Platform webpage, https://community.rsa.com/community/products/netwitness/ideas.
In the meantime consider this work-around.
Assuming you know something else that identifies which of the 2 syslog ports the log messages arrived on.
Like the Device IP (device.ip), then you could create a Custom Feed .csv file that contains a table of possible Device IPs the Log Collector will see, and the syslog port you have determined those logs will use.
So when a syslog message appears for a known Device IP then a selected meta field can get the syslog port value from the Custom feed .csv file.
Reference: Decoder: Create a Custom Feed - https://community.rsa.com/docs/DOC-83589
Thank you very much Vincent. Sadly, I can't use feeds to achive what I need, because the same device ip will provide several syslogs stream through different ports.