This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
jcarleton
Beginner
Beginner
‎2014-07-16 02:59 PM

SA incorrectly parsing RHEL, Solaris, Linux syslogs

Hi,

 

Looking for some input on how to make these sources come up as their proper source.

 

Basically we're pushing the events via syslog to SA from RHEL, Solaris, and Linux environments (mixed environment, also have Windows). In SA, the events get shuffled into a few device types; crossbeam, rhlinux (includes tons of UFW logs, which would like to come up elsewhere as well), Solaris, and winevent_nic. The only reason I can find for these Unix boxes coming up in winevent_nic is the fact that they're negotiating/querying LDAP/AD.

 

How can we get these appearing as the appropriate device types?

 

Thanks in advance.

0 Likes
Reply
4 Replies
jcarleton
Beginner
Beginner
‎2014-07-17 11:59 AM

I should also note, these log sources are correctly parsed in Envision, sent via syslog.

0 Likes
Reply
huanzhou1
Beginner
Beginner
In response to jcarleton
‎2014-07-18 10:12 AM

same here, aix devices log tax as cisiorouter.

0 Likes
Reply
PaulJacoby
Beginner
Beginner
In response to jcarleton
‎2014-07-18 02:23 PM

In enVision there was a way to tweak the priorities on a "multi" device to force enVision to consider events to first be RHEL, then AIX, then other stuff. We had to do this for a number of AIX boxes that one day decided to start logging as Linux instead.

 

Does SA have a similar capability?

 

Very interested in your outcome as we are considering a move to SA from enVision, and have tons of multi-devices.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2014-07-21 11:08 AM

Hello,

We already discussed this issue here

SA doesn't have a capability to select device type manually, so we must invent a bicycle here.

For example you can disable parsers you don't use, or disable parsers that mix the device types for you for a limited time for device get a right type and then enable those parsers back.

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.