Meta device.ip or device.host doesn't show for Windows Eventing logs in RSA NetWitness Platform

Issue

The Device IP meta field (device.ip) doesn't show the Windows Eventing host source IP address in RSA NetWitness.

User sees log messages being collected, but they don't contain the source IP address, which normally are expected to be seen under the Device IP meta key.

Alternatively, the Device hostname meta field (device.host) doesn't show from the Windows Eventing logs.

Cause

For NetWitness Windows Eventing log collection, the NetWitness Log Collector doesn't extract the Device IP address (device.ip) or the Device Hostname (device.host) from the collected Windows messages.

Rather, the Device IP or Device Host value is determined by examining the NetWitness Log Collector Windows Eventing host configuration.

If the Host's Event Source Address is configured with an IP address, then the IP address value is populated under the Device IP (device.ip) meta key.

If the Host's Event Source Address is configured with a hostname or FQDN, then that value is populated under the Device Host (device.host) meta key.

Resolution

For consistency configure the Windows Eventing Hosts in NetWitness using one of IP address or Hostname, depending on which meta field is most useful for your environment.

Internal Comments

UserName:shurtj
8/7/2014 1:46:07 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS

Summary

Sometimes the Device IP meta field (device.ip) shows and sometimes the Device host name meta field (device.host) shows in NetWitness from the Windows Eventing logs.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue