AnsweredAssumed Answered

RSA Netwitness Parsing order

Question asked by Shishir Kumar on Aug 1, 2018
Latest reply on Aug 8, 2018 by Ronald Roskens

While going through the logs, I identified that few of the event sources are being identified as multiple event source types.

For example, an event source from linux was identified as aix,bigip, ciscorouter, junosrouter, oracle, tippingpoint, bigipapm, cisconoxos.

I had to hard tag it to the rhlinux log source type. But as we have a huge environment, identifying and hard tagging each device type is going to be really an enormous task for us. I would like to know how RSA identifies which parser to use against which log source type.

I individually opened each of these parsers in the NW Log Parser tool and I could see each of them parsed the linux messages. This was a huge surprise for me, as I thought one log source type should not be able to parse logs from other types as the headers will be different . But the log source types mentioned above have a generic header which is common among all the parsers.

 

For example the log:

Jul 31 12:40:03 hostname sshd[24721]: Accepted publickey for root from 1.1.1.1.1 port 63255 ssh2: RSA 6ß:e5:c1:d0:55:b2:b7:aa:0c:2d:65:55:5c:a9:d5:f0 [MD5] can be parsed using any of these parsers referred above.

 

I would like to know if there is an alternative to hard tagging as in our environment we have lots of autodiscovered syslog and manually tagging them is going to be difficult.

Outcomes