.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness - How to Add Syslog Severity & Facility Meta to Incoming Syslog
Issue
Syslog Severity and Meta is not populated on incoming syslog on Log Decoders. They cannot be parsed as they are not seen in the message.
Resolution
The following must be done in order to get the syslog stream to show up on the Log Decoder:- Edit the /etc/netwitness/ng/table-map-custom.xml file on the Log Decoder to include the following:
<mapping envisionName="pri.severity" nwName="pri.severity" format="Int32" flags="None" />
<mapping envisionName="pri.facility" nwName="pri.facility" format="Int32" flags="None" /> - Edit the /etc/netwitness/ng/index-concentrator-custom.xml file on the Concentrator to include the following:
<key description="Syslog Facility" format="Int32" level="IndexValues" name="pri.facility" valueMax="10000" />
<key description="Syslog Severity" format="Int32" level="IndexValues" name="pri.severity" valueMax="10000" /> - Restart the Log Collector, Log Decoder and Concentrator services in order to reflect the changes. The values should then begin to show up in the investigation module within Security Analytics.
If you are unsure of any of the steps above or experience any issues, contact NetWitness Customer Support and mention article 000029305 for further assistance.
Product Details
NetWitness Product Set: NetWitness PlatformNetWitness Product/Service Type: Log Decoder
NetWitness Version/Condition: 12.x
Platform: CentOS / AlmaLinux
O/S Version: 7 / 8.9
Approval Reviewer Queue
Technical approval queue