This section describes how to configure RSA NetWitness so that it will forward the received events to Feed Service.
To forward events from RSA NetWitness to Feed Service:
Selecting a Log Decoder
If more than one Log Decoder is used for receiving events, repeat the following steps for each Log Decoder.
The Rule Editor window opens.
cybertrace
device.type='%DEVICE_NAME_1%'
This is an example of a condition, in which the %DEVICE_NAME_1%
string represents the name of the device whose events must be sent to Feed Service. Following is another example of a condition, according to which events from Cisco ASA and Check Point Firewall must be sent to Feed Service:
device.type='ciscoasa' || device.type='checkpointfw1'
If an event meets the condition specified here, it will be sent to Feed Service.
Rule Editor window
For information on how to create rules, refer to https://community.rsa.com/docs/doc-41983.
cybertrace=tcp:[IP]:[port]
Here [IP]
is the IP address of the computer on which Feed Service is installed, and [port]
is the port that Feed Service listens on for events (by default, the port 9999
is used). These are the IP address and port specified in the InputSettings > ConnectionString
element of the Feed Service configuration file.
Log events forwarding settings
true
.After these actions are performed, RSA NetWitness will forward the events that satisfy the cybertrace
rule to the address that you specified in the logs.forwarding.destination
parameter.