Hello!
I'm helping customer now to migrate from rsa enVision to RSA SA. He wants to do minimum work during this prosess and to save all previos configuration. On RSA enVision we are getting logs from ArcSight Connector through syslog in CEF format and all works good. But for RSA SA this is "Unidentified content". How can we managed it?
ArcSight Smart Connector can't send logs in proper (for RSA SA) format.
Also we are trying to send these logs to Virtual Remote Collector, if it matters.
Hello, Eric!
I have 10.6 RSA SA. CEF enabled and installed, but I have error on the stage of getting syslog, like in this case:
000016890 - CyberArk Syslog messages display as 'unidentified content' in RSA Security Analytics
I have standart format of CEF, like:
CEF:0|Mirosoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4768|A Kerberos authentication ticket (TGT) was requested |Low| eventId=17271719 externalId=4768 msg=Certificate information is only provided if a certificate was used for pre-authentication types, ticket options, encription types and result codes are defined in RFC 4120 categorySignificance=/Informational/Warning categoryBehavior=/Authentication/Verify categoryDeviceGroup=/Operating System and so on.
I understand that hte problem is that there is not RFC format. But enVision works with it correctly, maybe there is the way to make RSA SA to work with it as well.
Have you implemented the two files at the bottom of that post to set eh proper RFC ?
The CEF parser in SA requires a specific format of header and hostname for the messages to parse. It looks like the additional two files will be able to set those parameters on the collector so that the messages are properly formatted for RSA NW/SA.
If that doesn’t work, please open a support case and RSA support will assist you with this.
Eric
Eric, as I can see, author of this post suggest to change CyberArc config, not RSA Collector. And I have no such variables on my ArcSight Collector. I will open a support case.
What version of NetWitness are you using ?
Is the Common Event Format (CEF) parser enabled and installed on the log decoders ?
can you provide a sample format of the logs that are being sent from the arcsight connector ?