Return to
Portfolio

84. RSA NetWitness

RSA NetWitness Platform is a threat detection and incident response suite that leverages logs and other data sources for monitoring, reporting, and investigations. NXLog is an officially supported RSA Ready certified product and can be configured as the log collection agent for NetWitness.

84.1. Configuring NetWitness

The following steps are also outlined in the NetWitness CEF Implementation Guide. See that document for more information and associated warnings.

  1. Make sure Syslog collection is enabled. RSA NetWitness creates Syslog listeners by default for UDP on port 514, TCP on port 514, and SSL on port 6514. See Configure Syslog Event Sources for Remote Collector on RSA Link for further setup notes.

  2. Add a Log Decoder using the "Envision Config File" resource.

    1. From the NetWitness menu, select Configure > Live Content.

    2. In the Keywords field, enter Envision Config File.

    3. In the Matching Resources pane, check the Envision Config File entry and click Deploy in the menu bar.

      netwitness 1 envision deploy1
    4. In the Deployment Wizard Resources pane, click Next.

    5. In the Services pane, select the Log Decoder and click Next.

      netwitness 2 envision deploy2
    6. In the Review pane, review the changes and click Deploy. Click Close after the deployment task has finished.

  3. Deploy the Common Event Format.

    1. From the NetWitness menu, select Live > Search.

    2. In the Keywords field, enter Common Event Format.

    3. In the Matching Resources pane, check the Common Event Format entry and click Deploy in the menu bar.

      netwitness 3 cef deploy
    4. In the Deployment Wizard Resources pane, click Next.

    5. In the Services pane, select the Log Decoder and click Next.

    6. In the Review pane, review the changes and click Deploy. Click Close after the deployment task is finished.

  4. Ensure that the CEF parser is enabled on the Log Decoder(s).

    1. Open Admin > Services on the NetWitness dashboard.

    2. Locate the Log Decoder, click the gear to the right, and select View > Config.

      netwitness 4 decoder config
    3. Enable the cef parser in the Service Parsers Configuration and click Apply.

      netwitness 5 cef enable
  5. Edit the CEF configuration to collect NXLog event times.

    1. Connect via SFTP using WinSCP or another utility.

    2. Locate and back up the XML file at /etc/netwitness/ng/envision/etc/devices/cef/cef.xml.

    3. Edit the file, adding the following lines after the end of the preceding <MESSAGE …​ /> section:

      <MESSAGE
        id1="NXLog_NXLog"
        id2="NXLog_NXLog"
        eventcategory="1612000000"
        functions="&lt;@msg:*PARMVAL($MSG)&gt;&lt;@event_time:*EVNTTIME($MSG,'%R %F %Z',event_time_string)&gt;&lt;@endtime:*EVNTTIME($MSG,'%W-%D-%G %Z',param_endtime)&gt;&lt;@starttime:*EVNTTIME($MSG,'%W-%G-%FT%Z',param_starttime)&gt;"
        content="&lt;param_endtime&gt;&lt;param_starttime&gt;&lt;msghold&gt;" />
  6. If required, edit the CEF custom configuration to support custom fields as follows.

    1. Connect via SFTP.

    2. Locate and back up the XML file at /etc/netwitness/ng/envision/etc/devices/cef/cef-custom.xml, if it exists.

    3. Create the file with the following contents. Or if the file already exists, add only the required sections.

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <DEVICEMESSAGES>
      <!--
      #
      # cef-custom.xml Reference: https://community.rsa.com/docs/DOC-79189
      #
      --> cef-custom.xml
      
        <VendorProducts>
          <Vendor2Device vendor="NXlog" product="NXLog Enterprise Edition"
                         device="NXLog_NXLog" group="Analysis"/>
        </VendorProducts>
      
        <ExtensionKeys>
          <ExtensionKey cefName="Keywords" metaName="Keywords"/>
          <ExtensionKey cefName="Severity" metaName="Severity"/>
          <ExtensionKey cefName="SeverityValue" metaName="SeverityValue"/>
          <ExtensionKey cefName="SourceName" metaName="SourceName"/>
          <ExtensionKey cefName="ProviderGuid" metaName="ProviderGuid"/>
          <ExtensionKey cefName="TaskValue" metaName="TaskValue"/>
          <ExtensionKey cefName="OpcodeValue" metaName="OpcodeValue"/>
          <ExtensionKey cefName="RecordNumber" metaName="RecordNumber"/>
          <ExtensionKey cefName="ExecutionProcessID" metaName="ExecutionProcessID"/>
          <ExtensionKey cefName="ExecutionThreadID" metaName="ExecutionThreadID"/>
          <ExtensionKey cefName="param2" metaName="param2"/>
          <ExtensionKey cefName="SourceModuleName" metaName="SourceModuleName"/>
          <ExtensionKey cefName="SourceModuleType" metaName="SourceModuleType"/>
          <ExtensionKey cefName="EventReceivedTime" metaName="param_starttime"/>
      
          <ExtensionKey cefName="msg" metaName="msg">
            <device2meta device="trendmicrodsa" metaName="info"/>
            <device2meta device="NXLog_NXLog" metaName="info"/>
          </ExtensionKey>
        </ExtensionKeys>
      </DEVICEMESSAGES>
    4. Locate and back up the XML file at /etc/netwitness/ng/envision/etc/table-map-custom.xml, if it exists.

    5. Create the file with the following contents. Or if the file already exists, add the lines between <mappings> and </mappings>.

      <?xml version="1.0" encoding="utf-8"?>
      <!--
      # attributes:
      #   envisionName:   The name of the column in the universal table
      #   nwName:         The name of the NetWitness meta field
      #   format:         Optional. The language key data type. See LanguageManager. Defaults to "Text".
      #   flags:          Optional. One of None|File|Duration|Transient. Defaults to "None".
      #   failureKey:     Optional. The name of the NW key to write data if conversion fails. Defaults to system generated "parse.error" meta.
      #   nullTokens:     Optional. The list of "null" tokens. Pipe separated. Default is no null tokens.
      -->
      
      <mappings>
        <mapping envisionName="severity" nwName="severity" flags="None" format="Text"/>
        <mapping envisionName="Keywords" nwName="Keywords" flags="None" format="Text"/>
        <mapping envisionName="Severity" nwName="Severity" flags="None" format="Text"/>
        <mapping envisionName="SeverityValue" nwName="SeverityValue" flags="None" format="Text"/>
        <mapping envisionName="dvcpid" nwName="dvcpid" flags="None" format="Text"/>
        <mapping envisionName="hardware_id" nwName="hardware.id" flags="None" format="Text"/>
        <mapping envisionName="SourceName" nwName="SourceName" flags="None" format="Text"/>
        <mapping envisionName="ProviderGuid" nwName="ProviderGuid" flags="None" format="Text"/>
        <mapping envisionName="TaskValue" nwName="TaskValue" flags="None" format="Text"/>
        <mapping envisionName="OpcodeValue" nwName="OpcodeValue" flags="None" format="Text"/>
        <mapping envisionName="RecordNumber" nwName="RecordNumber" flags="None" format="Text"/>
        <mapping envisionName="ExecProcID" nwName="ExecProcID" flags="None" format="Text"/>
        <mapping envisionName="ExecThreadID" nwName="ExecThreadID" flags="None" format="Text"/>
        <mapping envisionName="cs_devfacility" nwName="deviceFacility" flags="None" format="Text"/>
        <mapping envisionName="info" nwName="info" flags="None" format="Text"/>
        <mapping envisionName="param2" nwName="param2" flags="None" format="Text"/>
        <mapping envisionName="SourceModuleName" nwName="SourceModuleName" flags="None" format="Text"/>
        <mapping envisionName="SourceModuleType" nwName="SourceModuleType" flags="None" format="Text"/>
        <mapping envisionName="param_endtime" nwName="end" flags="None" format="TimeT"/>
        <mapping envisionName="param_starttime" nwName="start" flags="none" format="TimeT"/>
      </mappings>
  7. Start collecting logs.

    1. Go to Admin > Services, select the associated Log Decoder, click the gear, and select View > System.

      netwitness 6 decoder system
    2. Click Start Capture to start the log collection.

      netwitness 7 start capture

84.2. Configuring NXLog

NXLog can be configured to collect, convert, and send whatever log events are required. The xm_cef and xm_syslog provide the necessary functionality for converting log data to CEF and adding the Syslog header.

Example 362. Converting and Forwarding EventLog Data in CEF

This example configuration reads from the Windows EventLog with im_msvistalog, converts the log data to CEF, and forwards it to NetWitness via TCP.

The xm_cef extension module provides the to_cef() function, which generates the CEF format. The xm_syslog extension module provides the to_syslog_bsd() procedure, which adds the BSD Syslog header.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<Extension _cef>
    Module  xm_cef
</Extension>

<Extension syslog>
    Module  _xm_syslog
</Extension>

<Input eventlog>
    Module  im_msvistalog
</Input>

<Output netwitness_tcp>
    Module  om_tcp
    Host    127.0.0.1
    Port    514
    <Exec>
        $Message = to_cef();
        to_syslog_bsd();
    </Exec>
</Output>

To send logs via UDP, use this Output block instead.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Output netwitness_udp>
    Module  om_udp
    Host    127.0.0.1
    Port    514
    <Exec>
        $Message = to_cef();
        to_syslog_bsd();
    </Exec>
</Output>

84.3. Verifying Collection on NetWitness

After deploying the NXLog configuration on the log source host and starting the capture on NetWitness, the event log data log should be available on NetWitness.

Go to Admin and select the Log Decoder. In the Events area, select an event to view its details.

netwitness 8 verify

It is also possible to examine the raw log to verify that the output to NetWitness is in CEF.

Output Sample
Nov 13 12:34:17 test.test.com Service_Control_Manager: CEF:0|NXLog|NXLog|4.1.4016|0|-|7|end=2018-11-13 12:34:17 dvchost=test.test.com Keywords=9259400833873739776 outcome=INFO SeverityValue=2 Severity=INFO externalId=7036 SourceName=Service Control Manager ProviderGuid={555908D1-A6D7-4695-8E1E-26931D2012F4} Version=0 TaskValue=0 OpcodeValue=0 RecordNumber=3037 ExecutionProcessID=496 ExecutionThreadID=2136 deviceFacility=System msg=The Windows Installer service entered the stopped state. param1=Windows Installer param2=stopped EventReceivedTime=2018-11-13 12:40:28 SourceModuleName=eventlog SourceModuleType=im_msvistalog