Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Log Decoder syslog forwarding with rfc3164 format is not working

Issue

Netwitness Log Decoder syslog forwarding configured using Configure Syslog Forwarding to Destination.

Sample configuration:
  1. Create App rules as below.
    name=receiver5 rule="device.type='winevent_nic'" alert=alert forward order=1
    name=receiver6 rule="device.type='winevent_nic'" alert=alert forward order=2
     
  2. Forwarding the same logs to two different Syslog servers. One without appending any additional fields. Another one with rfc3164 format.
    logs.forwarding.destination=receiver5=tcp:10.10.10.11:514 receiver6=tcp:10.10.10.12:514:rfc3164
     
  3. Capture outgoing traffic for rfc3164 format logs using below to verify format.
    tcpdump -i any host 10.10.10.12 and dst port 514 -w Test.pcap
     

The Forwarding log with rfc3164 format setting is not prepending the priority, data, and hostip details as below.
 
%NICWIN-4-Security_4624_Microsoft-Windows-Security-Auditing: Security,rn=6886839553 cid=14080 eid=1056,Thu Sep 02 05:25:27 2021,4624,Microsoft-Windows-Security-Auditing,,Audit Success,test.com,Logon,,An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-266849940-1637104444-929701000-3877854 Account Name: XYZ$ Account Domain: AD.Test.COM Logon ID: 0x744192AA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {B794C59C-763D-7294-31C0-59F97054F8E5} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.152.102.2 Source Port: 55625 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0

Cause

If there are two different AppRules having the same Rule description and defined to forward to two different destinations, there will be only one instance of the forwarding process created, as both of the AppRule get triggered due to the same Log/Session.

Due to this reason, the log forwarding takes place to both the destinations with the formatting present in the logs.forwarding.destination for the AppRule having the higher-order (one which has lesser order number).

So, if the AppRule having defined to forward as an RFC3164 format has higher order than the AppRule having defined to forward with no formatting and given the fact that both of the AppRules have the same rule description, both the destinations will receive the RFC3164 formatted logs. 
Similarly, if the unformatted AppRule has a higher order than the RFC3164 formatted one, both the destinations will receive original logs as received by the LD.

Hence, this particular use case is not supported by the LD as of now.

Workaround

Please follow the below workaround to get the correct format logs to the destination.

Please change the sequence of App rule of rfc3164 log to a lower sequence number. 

name=receiver5 rule="device.type='winevent_nic'" alert=alert forward order=2
name=receiver6 rule="device.type='winevent_nic'" alert=alert forward order=1

This should help to get additional fields of priority,date and hostip in the beginning of log.
 
<13>Sep 2 05:36:44 10.1.17.30 %NICWIN-4-Security_4769_Microsoft-Windows-Security-Auditing: Security,rn=6478425334 cid=14236 eid=1076,Thu Sep 02 05:36:30 2021,4769,Microsoft-Windows-Security-Auditing,,Audit Success,Test.com,Kerberos Service Ticket Operations,,A Kerberos service ticket was requested. Account Information: Account Name: test.com Account Domain: Test.COM Logon GUID: {7CBBD784-DC29-D9C0-FFF0E-6F1B20446F89} Service Information: Service Name: bsfjds$ Service ID: S-1-5-21-266649940-16666666644-929701000-3027681 Network Information: Client Address: ::ffff:10.191.244.97 Client Port: 62231 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0

Product Details

RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This document outlines the functionality of the Log Decoder syslog forwarding with rfc3164 format.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue