Renato Goncalves

RSA Log Decoder rule error

Discussion created by Renato Goncalves on Sep 20, 2018
Latest reply on Sep 27, 2018 by Renato Goncalves

Hello everyone,


I recently noted that we are obtaining an error in the log decoder configurations.


Two of the rules that are configured ara highlighted. The rules are


nw30060 and account:logon-success-direct-access.


They have the following syntax:


nw30060:'528','540','4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')


account:logon-success-direct-access ((ec.activity='Logon' && ec.outcome='Success') || ('User.Activity.Successful Logins')) && logon.type='2','10'


I tried to test them in the reports view but i also noticed that the meta have disappeared and is now retrieving the following information:


Schema fetched from data source is null for data source xxxxx. I tried do use all the date sources that we have and it stays the same