ODBC Integration With RSA Security Analytics
I want to integrate my 3 event sources with RSA Secrutiy Analytics for the ODBC log collection,
the event sources are:
1 McAfee ePO 4.5
2 EMC Avamar
3 McAfee Vulnerability Management 7.5
Kindly share the Data source name details, like what I need to mentio in the DSN entries, what enteries, so that on that basis I can create a DSN of the event sources.
And also shares the steps which I need to do on the event source side?
what steps i need to process and go through for the integration of the above mentioned event sources for ODBC.
Thanks to all in advance.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
All the configuration guides for event sources are within SCOL under the enVision > device configuration guides.
As for the DSNs - check on sa.docs.netwitness (specifically here).
Hope this helps.
The problem with setting up ODBC connections in SA is the fact that every DB type has unique requirements when adding DSN value pairs. For instance; When setting up connections to an Oracle 9i vs Oracle 11g, the vaule pairs required for each are:
or portnumber= driver=
The differences can be so subtle it's nearly impossible to to crack the code. When i setup the 2 connection above, I did 9i 1st and it worked just fine. When i did the same setup on 11g it failed everytime because i didn't have portnumber as PortNumber. It actually took 2 developers about 4 hours to determine this was the problem. Also, when adding the DSN's to your event source type, i would refrain from adding an initial tracking ID unless you know the date/timestamp you want to start polling from. If you don't enter the tracking ID correctly, it will inject unkown commands into the SQL statament and it will not work.
I have been working on McAfee ePO 4.5_x myself for a few days now and still haven't been able to get it to work. If i figure out the DSN value pairs i will definitely let you know. Try taking a look at the sample ODBC.ini files in this datadirect guid provided by RSA. The sample files should help you get on the right track....
Hi JHerbst, thanks alot for sharing this information and will try this on our SA by this way and let you know of the same and also we had successfully integrated our McAfee ePO 4_5 (ePolicy virus and epolicy 4_5) for odbc for syslogs and audit logs.
And will send you the parameters which we had added while creating DSN for ePO.
And also if you have an details of other odbc's dsn like EMC Avamar and McAcee Vulnerability Manager, then kindly also share the parameters accordingly.
With driver name to be used, with database server name which we need to add, etc.
Thanks in advance.
In order to setup your ODBC connectivity through Security Analytics for Logs. Please get into the administrative view for devices and then select the Log Collector device and then pull down and select Config.
Tab over to event sources and first select one from the following list of connection methods:
Once you select the appropriate option, you can then select the Config for the next drop down list.
If you then hit the + sign a list of available event source types will be made available.
Pick & choose the one appropriate to your particular needs.
That's great but we're talking about ODBC connections. Not all those events sources are ODBC type connections. Additionally, before you can have an ODBC type of connection you must define the DSN in the Settings tab.
Ok Sorry must have missed that.
I have a bunch of these type connections to get working; so, I'll experiment a little next week.
I'll post any updates I get.
Hi JHerbst, et. All,
I found these docs:
I hope these links help.
Thanks & Regards,