.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Tasks
Please follow the below instructions to configure Syslog forwarding using logstash in LogCollector.- Install logstash-output-syslog plugin using the below steps.
- Download the attached zip file from the internal notes section and upload it to Log Collector where logstash Syslog forwarding has to be configured.
cd /usr/share/logstash/
bin/logstash-plugin install file:///path/to/OUTPUT.ZIP
bin/logstash-plugin install file:///path/to/OUTPUT.ZIP
- Run below commands to see the installed logstash-output-syslog plugin file.
cd /usr/share/logstash/
bin/logstash-plugin list
bin/logstash-plugin list
- Configure logstash event source for export connector using below.
Navigate
LogCollector-Config->Event Source-> Logstash/Keystore management
Key=test
Password=netwitness
Password=netwitness
Navigate
LogCollector-Config->Event Source-> Logstash/Config
Select
Export_connector in event categories to create an instance
Host= Select the logdecoder from where events to be forwarded.
Username=admin
Authentication= Select Key created in Keystore management page.
Output Configuration is as below.
Host= Select the logdecoder from where events to be forwarded.
Username=admin
Authentication= Select Key created in Keystore management page.
Output Configuration is as below.
output {
syslog
{
id => "forwarded_logs"
host => "DestinationIP"
port => 514
codec =>"json"
}
}
syslog
{
id => "forwarded_logs"
host => "DestinationIP"
port => 514
codec =>"json"
}
}
Please refer Configure Logstash Event Sources in NetWitness for more details on these parameters.
A sample Screenshot of settings is as below.
This configuration will send logs to the configured destination Syslog server/log decoder.
In case filtered logs have to be sent to the destination Syslog server/log decoder. Please set additional settings in the above instance, Advanced section.
Below are the settings used to send device.type='rhlinux' logs.
Query=select*where device.type='rhlinux'
Below is the sample log received from logstash export connector log forwarding to a different logdecoder.
Aug 04 06:14:06 %{host} LOGSTASH[-]: {"com_rsa_netwitness_streams_arrival_timestamp":1659593646522,"com_rsa_netwitness_streams_source_trail":["admin@LOGD:50002"],"msg":"systemd: Started Session 54812 of user root.","event_cat":1605010000,"time":1658928662000,"event_time":1658928662,"com_rsa_netwitness_streams_stream":"NwLogstash-export_connector_test3","ec_subject":"NetworkComm","sessionid":6679202,"action":["Started"],"alias_host":["HYB"],"device_disc":95,"did":"cs-nwlogd-33","msg_vid":"systemd","header_id":"0019","device_ip":"10.10.10.10","client":"systemd","device_disc_type":"rhlinux","com_rsa_netwitness_streams_arrival_sequence":1,"event_source_id":"LOGD:50002:6679202","@timestamp":"2022-08-04T06:14:06.522Z","msg_id":"002423","ec_theme":"Communication","device_type":"rhlinux","medium":32,"user_dst":"root","size":114,"log_session_id":"54812","event_cat_name":"System.Normal Conditions.Daemons","device_class":"Unix","@version":"1"}
Product Details
RSA Product Set: RSA NetWitness Platform, NetWitness Logs & NetworkRSA Product/Service Type: NetWitness Log Collector
RSA Version/Condition: 11.7.X
Platform: CentOS
O/S Version: 7
Approval Reviewer Queue
Technical approval queue