Skip to content
  • There are no suggestions because the search field is empty.

NetWitness ODBC event source parses the device.ip field incorrectly

Issue

When navigating the investigated meta from an ODBC event source, the device.ip field doesn't match the IP address of the SQL database, this can occur with multiple ODBC event sources.
Instead, the IP address in the device.ip field is that of the host sending its logs to the SQL database.


Cause

For most ODBC sources, the device.ip field will be populated with the IP from the AnlyzerIPV4 column of the incoming log.

To verify that, we can check the xml file of the ODBC event source in /etc/netwitness/ng/logcollection/content/collection/odbc/ .xml

Examples:
For the hips8x event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/hips8x.xml file.
For the epolicyvirus4_5 event source, this is found in the /etc/netwitness/ng/logcollection/content/collection/odbc/epolicyvirus4_5.xml file.


Resolution

To reflect the IP address of the database rather than the host, the field "AnlyzerIPV4" can be deleted from the ODBC definition file and minor changes will need to be made in the UI. 

Follow the steps below to perform this procedure.
 1) Stop ODBC collection via the Log Collector's System page:

image.png

2) Update the event source configuration the Log Collector's Config page and enter the IP address of the server in place of 127.0.0.1.:

image.png

3)From an SSH session on the Log Collector, backup the xml before editing it:

cp -av/etc/netwitness/ng/logcollection/content/collection/odbc/<event-source-name>.xml /root/<event-source-name>.xml.bak


4) Issue the command below to edit the file:

vi /etc/netwitness/ng/logcollection/content/collection/odbc/<event-source-name>.xml

5) Update the ODBC Type Spec Definition file by removing [EPOEvents].[AnalyzerIPV4],​ like the below example:

removedefinition

6) Restart the nwlogcollector service for the changes to take effect.

# systemctl stop nwlogcollector
# systemctl start nwlogcollector


7) Start the ODBC collection again via the Log Collector's system page on UI:

image.png

If you are unsure of any of the steps above or experience any issues, contact NetWitness Support and quote this article number for further assistance.


Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: Log Collector, Log Decoder
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS / AlmaLinux


Summary

When navigating the investigated meta from an ODB event source, the device.ip field doesn't match the IP address of the SQL database.


Approval Reviewer Queue

Technical approval queue