Skip to content
  • There are no suggestions because the search field is empty.

What syslog message formats are accepted by NetWitness?

Issue

What syslog message formats are accepted by RSA NetWitness?


Resolution

How the syslog message is processed is based on the format of the header section of the received syslog message.
 
  • Header Match Criteria: VERSION
    TIMESTAMP
    IPADDRESS MESSAGE
  • Processing Type: RFC5424
  • Example: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 BOM'su root' failed for lonvick on /dev/pts/8
  • Notes:
  • LC Version: 11.1+

  • Header Match Criteria: TIMESTAMP
    IPADDRESS MESSAGE
  • Processing Type: RFC5424
    -Version
  • Example: <34> 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 BOM'su root' failed for lonvick on /dev/pts/8
  • Notes: Not RFC5424 but
    we will allow
    without VERSION
    field
  • LC Version: 11.1+

  • Header Match Criteria: VERSION
    TIMESTAMP
    IPADDRESS MESSAGE
  • Processing Type: RFC5424 -Pri
  • Example: 1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 BOM'su root' failed for lonvick on /dev/pts/8
  • Notes: Not RFC5424 but
    we will allow
    without field
  • LC Version: 11.1+

  • Header Match Criteria: TIMESTAMP
    IPADDRESS
    MESSAGE
  • Processing Type: RFC3164
  • Example: <165>Nov 1 08:28:26 10.10.20.3 FWSM-7-305002: Translation built for gaddr 155.180.180.80 to laddr 155.180.180.80
  • Notes:
  • LC Version: 10.3.3+

  • Header Match Criteria: TIMESTAMP
    IPADDRESS
    MESSAGE
  • Processing Type: RFC3164 -Pri
  • Example: Nov 1 08:28:26 10.10.20.3 FWSM-7-305002: Translation built for gaddr 155.180.180.80 to laddr 155.180.180.80
  • Notes: Not RFC3164 but
    we will allow
    without field
  • LC Version:

  • Header Match Criteria: MESSAGE
  • Processing Type: NonStandard
  • Example: FWSM-7-305002: Translation built for gaddr 155.180.180.80 to laddr 155.180.180.80
  • Notes: Accept just about
    anything other than
    an empty message
  • LC Version:

  • Header Match Criteria: MESSAGE
  • Processing Type: NonStandard +Pri
  • Example: <165> FWSM-7-305002: Translation built for gaddr 155.180.180.80 to laddr 155.180.180.80
  • Notes: Old BSD Syslog
    format
  • LC Version: 10.2.0+

  • Header Match Criteria: [] [CID] [IPADDRESS]
    [TIMESTAMP] [] Message...
  • Processing Type: Envision Panorama Message
  • Example: [] [] [10.100.33.22] [5678] [] FWSM-7-305002: Translation built for gaddr 155.180.180.80 to laddr 155.180.180.80
  • Notes: Content2 format
    used between LC
    and LD
  • LC Version: 10.3.2+

  • Header Match Criteria: @IPADDRESS MESSAGE
  • Processing Type: Legacy enVision injector tool
  • Example: @10.10.20.3 <165> FWSM-7-305002: Translation built for gaddr 155.180.180.80 to laddr 155.180.180.80
  • Notes: Internal use only
  • LC Version: 10.3.2.+


Product Details

RSA Product Set: NetWitness
RSA Product/Service Type: Log Decoder, Log Collector
RSA Version/Condition: 10.6.x, 11.x

Summary

What syslog message formats are accepted by RSA NetWitness Log Decoder or Virtual Log Collector?


Approval Reviewer Queue

Technical approval queue