.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
NetWitness Collector AzureAudit logs getting stopped frequently where test connection is success for instance. /var/log/messages does not show any errors that are related to this collection.
Cause
There is some delay from Microsoft end to update logs in the server where Azureaudit API pulls logs from. So we were missing recent logs in plug-in collection.
Resolution
Download Modified plug-in scripts.zip file from this Article and follow the below steps.- Disable existing azureaudit event source instance.
- Put attached 3 files azureaudit_collector.py, azureaudit_config.py azureaudit_properties_en.xml files in /etc/netwitness/ng/logcollection/content/collection/cmdscript/azureaudit directory in Collector.
- Put the file azureaudit.xml in the /etc/netwitness/ng/logcollection/content/collection/cmdscript directory in Collector.
- Restart the logcollector service using systemctl restart nwlogcollector.service command.
- There is the "Trail By" parameter in the advanced section of config as below.
Note: Trail By parameter Default value is 240 minutes. The minimum value is 10 min, and max value is 600 minutes.
- Create a new event source instance for azureaudit.
- Give start date as 1 or 0 and give a new source address.
- Do a test connection and see it is successful.
- If the test connection is successful, please check the collection and monitor it for the next 1-2 days. If logs not collecting the next day onwards, please increase the value of Trail By parameter from default value and monitor.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Platform: CentOS
O/S Version: 7
Summary
This document outlines the procedure to start AzureAudit logs which were stopped due to delay in microsoft logs.
Approval Reviewer Queue
Technical approval queue