Hi All,
We have recently moved to v11.3.1.1 on Netwitness and I am trying ot use the default Event Source monitoring to send syslog to one of our decoders when a device is inactive for a certain period of time. The default syslog template that is included for v11.3 is as below:
<@compress single_line=true>CEF:0|RSA|NetWitness Platform Event Source Monitoring|${version}|
<#if highAlarmsCount > 0> HighThresholdAlert|ThresholdExceeded|1|cat=${group}|Devices|
<#list 0..highAlarmEventSources?size - 1 as es> <#assign highAlarms = highAlarmEventSources[es]?split("^")>src=${highAlarms[0]}
<#if highAlarms?size > 1><#list 1..highAlarms?size - 1 as i> cs${i}=${highAlarms[i]}</#list></#if>|
</#list></#if> <#if lowAlarmsCount > 0>LowThresholdAlert|ThresholdViolated|1|cat=${group}|Devices|
<#list 0..lowAlarmEventSources?size - 1 as es> <#assign lowAlarms = lowAlarmEventSources[es]?split("^")>src=${lowAlarms[0]}
<#if lowAlarms?size > 1><#list 1..lowAlarms?size - 1 as i> cs${i}=${lowAlarms[i]}</#list></#if>|
</#list></#if></@compress>
This syslog does not parse with the latest CEF parser. It is very dishearting to see Netwitness not able to parse its own Syslog from the default template.Is there a particular parser already available for this?
I would also like to know if there is information on other keys that could be included in this template to have in more information.
Thanks in advance for the help.
Hi Shishir,
The CEF parser is the correct parser to handle these logs, and that template should be creating events that the CEF parser can read.
Can you post some of the logs that you are getting from this template?
Also, please ensure that you have the CEF parser enabled on your log decoder services: