I have a customer that wanted to add a custom device. We done that by creating a a conector that connects to every server of the customer, retrieve the data and then sends that events via syslog to Netwitness. We put into every syslog event the ip of the device and in the parser we also parse that IP as device.ip. When we see the parsed events we got two device.ip.... one for the server and in the other we got the IP where the software runs (because is the source of the syslog message)... Is there any way to avoid netwitness to add the device.ip from certain IP sources?
Regards,
Max
can you format the syslog with a header to indicate there was a relay involved (the scripting server)?
https://community.rsa.com/thread/193699
that way the scripting server ends up in forwarded.ip and the end host in device.ip?