AnsweredAssumed Answered

ESM CEF Syslog Template for report/dashlet creation

Question asked by Marinos Roussos on Feb 16, 2018
Latest reply on Feb 19, 2018 by Marinos Roussos

I am trying to use what used to be “ESM CEF Syslog Template” for Syslog notifications in admin->event sources-> monitoring policies.

 

Ultimately, I would like to create reports from the META values from that Syslog notification like it was possible previously. RSA haven’t provided a proper method of having event source notifications in a dashlet so I am trying to improvise to see what I can put on a dashlet.

 

This template is not there anymore and used to generate rsa_security_analytics_event_source_monitoring device.type.

 

The current “ESM Default Syslog Template” also generates that device.type but the syslog payload is not parsed, therefore useless.

 

 

I tried using legacy CEF Syslog template that was ported from 10.4 and getting these errors:

 

CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId}

 

2018-02-16 14:49:29,556 [scheduler_Worker-1] ERROR freemarker.runtime - Template processing error: "Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd."

 

Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd.

The problematic instruction:

----------

==> ${statement} [on line 1, column 39 in 5a86bce2f280b718fc2132dd]

----------

 

Java backtrace for programmers:

----------

freemarker.core.InvalidReferenceException: Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd.

        at freemarker.core.TemplateObject.assertNonNull(TemplateObject.java:125)

        at freemarker.core.Expression.getStringValue(Expression.java:118)

        at freemarker.core.Expression.getStringValue(Expression.java:93)

        at freemarker.core.DollarVariable.accept(DollarVariable.java:76)

        at freemarker.core.Environment.visit(Environment.java:221)

        at freemarker.core.MixedContent.accept(MixedContent.java:92)

        at freemarker.core.Environment.visit(Environment.java:221)

        at freemarker.core.Environment.process(Environment.java:199)

        at freemarker.template.Template.process(Template.java:259)

        at com.rsa.netwitness.carlos.notification.Notification.resolve(Notification.java:198)

        at com.rsa.netwitness.carlos.notification.NotificationEngine.resolve(NotificationEngine.java:558)

        at com.rsa.netwitness.carlos.notification.NotificationEngine.dispatch(NotificationEngine.java:448)

        at com.rsa.smc.esm.core.alert.notification.NotificationService.dispatch(NotificationService.java:135)

        at com.rsa.smc.esm.core.alert.notification.NotificationService.dispatchAlarm(NotificationService.java:151)

        at com.rsa.smc.esm.core.alert.notification.NotificationService.processNotifications(NotificationService.java:89)

        at com.rsa.smc.esm.core.jobs.NotificationDispatchJob.executeJob(NotificationDispatchJob.java:26)

        at com.rsa.netwitness.carlos.scheduling.jobs.AbstractJob.execute(AbstractJob.java:61)

        at org.quartz.core.JobRunShell.run(JobRunShell.java:213)

        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)

 

I then tried to use some of the variables from 10.5 Default Audit CEF templates and got a similar error like before:

 

CEF:0|${deviceVendor}|${deviceProduct}|${deviceVersion}|${category}|${operation}|${severity}|rt=${timestamp} src=${sourceAddress} spt=${sourcePort} suser=${identity} sourceServiceName=${deviceService} deviceExternalId=${deviceExternalId} deviceProcessName=${deviceProcessName} outcome=${outcome} msg=${text}

 

This worked perfectly before; I don’t know what RSA have done in the meantime. All the variables where previously defined and worked OOTB so I assumed that I wouldn’t have to start hacking XMLs and break parsers for making this to work.

 

In attach, you can see a screenshot and a sample report of how it used to work in the past.

Attachments

Outcomes