This section describes how to configure RSA NetWitness so that it will forward the received events to Feed Service.
To forward events from RSA NetWitness to Feed Service:
Selecting a Log Decoder
If more than one Log Decoder is used for receiving events, repeat the following steps for each Log Decoder.
The Rule Editor window opens.
cybertrace
device.type='%DEVICE_NAME_1%'
This is an example of a condition, in which the %DEVICE_NAME_1%
string represents the name of the device whose events must be sent to Feed Service. Following is another example of a condition, according to which events from Cisco ASA and Check Point Firewall must be sent to Feed Service:
device.type='ciscoasa' || device.type='checkpointfw1'
If an event meets the condition specified here, it will be sent to Feed Service.
Rule Editor window
For information on how to create rules, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/configure-application-rules/ta-p/592148.
For the /decoder/config/logs.forwarding.destination parameter, specify the following destination:
cybertrace=tcp:[IP]:[port]:rfc3164
Here, [IP]
is the IP address of the computer on which Feed Service is installed, and [port]
is the port that Feed Service listens on for events (by default, the port 9999
is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.
cybertrace=tcp:[IP]:[port]
Here, [IP]
is the IP address of the computer on which Feed Service is installed, and [port]
is the port that Feed Service listens on for events (by default, the port 9999
is used). The IP address and port are the same as specified on the Settings > Service tab of Kaspersky CyberTrace Web.
(\<\d+\>)
value.Log events forwarding settings
true
.After these actions are performed, RSA NetWitness will forward the events that satisfy the cybertrace
rule to the address that you specified in the logs.forwarding.destination
parameter.
For more information on event forwarding, refer to https://community.rsa.com/t5/rsa-netwitness-platform-online/decoder-configure-syslog-forwarding-to-destination/ta-p/572084.
Page top