AnsweredAssumed Answered

SA incorrectly parsing RHEL, Solaris, Linux syslogs

Question asked by Jesse Carleton on Jul 16, 2014
Latest reply on Jul 21, 2014 by RSA Admin

Hi,

 

Looking for some input on how to make these sources come up as their proper source.

 

Basically we're pushing the events via syslog to SA from RHEL, Solaris, and Linux environments (mixed environment, also have Windows). In SA, the events get shuffled into a few device types; crossbeam, rhlinux (includes tons of UFW logs, which would like to come up elsewhere as well), Solaris, and winevent_nic. The only reason I can find for these Unix boxes coming up in winevent_nic is the fact that they're negotiating/querying LDAP/AD.

 

How can we get these appearing as the appropriate device types?

 

Thanks in advance.

Outcomes