.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
The snare logs being sent to the Virtual Log Collector come in as undefined or as a completely different device type. There is no issue with snare logs being sent directly to the log decoder.
Cause
It appears that the tabs in the snare logs are being identified as spaces. Winevent_snare now supports tab delimited logs with the latest parser.
Resolution
The fix is to remove the highlighted item on the Virtual Log Collector in question (please see screenshot):
TAB2SPACE
Before:
LF2SPACE,CR2SPACE,TAB2SPACE,NULL2SPACE
After:
LF2SPACE,CR2SPACE,NULL2SPACE
Navigate to the VLC's Explore page -> logcollection -> syslog -> eventsources -> syslog-tcp -> tcp514
Note: If UDP is configured on Snare Source instead, then the changes on the syslog-udp need to be made. See below :
Navigate to the VLC's Explore page -> logcollection -> syslog -> eventsources -> syslog-udp -> udp514
Then restart nwlogcollector service after making above changes:
Product Details
NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: LogCollector
NetWitness Version/Condition: 11.x , 12.x
Platform: CentOS , AlmaLinux
Approval Reviewer Queue
Technical approval queue