I have been struggling with adding new windows nic devices to my ES appliance and decided to log a case with RSA support. My XML file is correct, and if you inject the events via syslog, it adds the device correctly. The problem is that the real-time events come in via the Windows NIC service, not via syslog.
RSA support have advised me that ESI only creates the XML file, and "additional work" is required to actually get an additional Windows NIC device added to the system (similar to using SFTP, SNMP) but this is outside the scope of support. I was advised to engage RSA professional services as they know how to do it, which is really quite annoying as we dont have buckets of money to throw at PS when we were sold an appliance that was "easy to use" etc..
I have used Cisco MARS, and been using Symantec SIM for years, and still cannot get enVision to capture/report on the same devices as the Symantec.
So what "additional work" do i need to do to get additional windows NIC devices into the system ??
BTW, I have run the extractor tool and added the eventlog strings to the system already. If I add the XML to the existing Windows NIC XML file it all works, but I dont want to do this...