I am trying to use what used to be “ESM CEF Syslog Template” for Syslog notifications in admin->event sources-> monitoring policies.
Ultimately, I would like to create reports from the META values from that Syslog notification like it was possible previously. RSA haven’t provided a proper method of having event source notifications in a dashlet so I am trying to improvise to see what I can put on a dashlet.
This template is not there anymore and used to generate rsa_security_analytics_event_source_monitoring device.type.
The current “ESM Default Syslog Template” also generates that device.type but the syslog payload is not parsed, therefore useless.
I tried using legacy CEF Syslog template that was ported from 10.4 and getting these errors:
CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId}
2018-02-16 14:49:29,556 [scheduler_Worker-1] ERROR freemarker.runtime - Template processing error: "Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd."
Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd.
The problematic instruction:
----------
==> ${statement} [on line 1, column 39 in 5a86bce2f280b718fc2132dd]
----------
Java backtrace for programmers:
----------
freemarker.core.InvalidReferenceException: Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd.
at freemarker.core.TemplateObject.assertNonNull(TemplateObject.java:125)
at freemarker.core.Expression.getStringValue(Expression.java:118)
at freemarker.core.Expression.getStringValue(Expression.java:93)
at freemarker.core.DollarVariable.accept(DollarVariable.java:76)
at freemarker.core.Environment.visit(Environment.java:221)
at freemarker.core.MixedContent.accept(MixedContent.java:92)
at freemarker.core.Environment.visit(Environment.java:221)
at freemarker.core.Environment.process(Environment.java:199)
at freemarker.template.Template.process(Template.java:259)
at com.rsa.netwitness.carlos.notification.Notification.resolve(Notification.java:198)
at com.rsa.netwitness.carlos.notification.NotificationEngine.resolve(NotificationEngine.java:558)
at com.rsa.netwitness.carlos.notification.NotificationEngine.dispatch(NotificationEngine.java:448)
at com.rsa.smc.esm.core.alert.notification.NotificationService.dispatch(NotificationService.java:135)
at com.rsa.smc.esm.core.alert.notification.NotificationService.dispatchAlarm(NotificationService.java:151)
at com.rsa.smc.esm.core.alert.notification.NotificationService.processNotifications(NotificationService.java:89)
at com.rsa.smc.esm.core.jobs.NotificationDispatchJob.executeJob(NotificationDispatchJob.java:26)
at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61)
at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
I then tried to use some of the variables from 10.5 Default Audit CEF templates and got a similar error like before:
CEF:0|${deviceVendor}|${deviceProduct}|${deviceVersion}|${category}|${operation}|${severity}|rt=${timestamp} src=${sourceAddress} spt=${sourcePort} suser=${identity} sourceServiceName=${deviceService} deviceExternalId=${deviceExternalId} deviceProcessName=${deviceProcessName} outcome=${outcome} msg=${text}
This worked perfectly before; I don’t know what RSA have done in the meantime. All the variables where previously defined and worked OOTB so I assumed that I wouldn’t have to start hacking XMLs and break parsers for making this to work.
In attach, you can see a screenshot and a sample report of how it used to work in the past.
This might be what you are looking for:
https://community.rsa.com/community/products/netwitness/blog/2016/10/19/lua-common-event-format-cef-script-template
https://community.rsa.com/docs/DOC-84388
Guy