RSA NetWitness Integration Guide

NetWitness® is a security intelligence product that audits and monitors all traffic on a network. It creates a comprehensive log file of all network activities in a format that network engineers and non-engineers alike can quickly understand.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox with Fireware v11.12.1 or higher
  • RSA SA ESI 10.6

Test Topology

Configure WatchGuard Firebox

To configure your WatchGuard Firebox:

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select System > Logging > Syslog Server.

  1. Select the Send log messages to the syslog server at this IP address check box.
  2. Type the IP Address and Port of your syslog server.
  3. From the Log Format drop-down list, select Syslog.
  4. Click Save.

Configure RSA ESI

After you configure the Firebox, the Firebox sends syslog messages to your syslog server. In RSA ESI, you can use the syslog file to define a new parser.

  1. Select New Parser.

  1. Type the Device name and specify the File location.

  1. Click OK.
  2. In the Device Type text box, type a device name.
  3. From the Device Class drop-down list, select Firewall.
  4. In the Display Name text box, type a display name.

  1. Click Open Log File.
  2. Select your syslog file and click Open.
    The content of the syslog file appears.

  1. In the first log message, select the message ID in msg_id="3000-0148" as shown below.

  1. Below the log message, click Create.
    The log message appears in the Headers tab with the highlighted MESSAGEID.

  1. Select the date and time that appear before "firebox".
  2. Press Ctrl+K. Type HDATE.

  1. Select the time that appears in parentheses.
  2. Press Ctrl+K. Type HTIME.

  1. Delete the information that appears after the MESSAGEID. Press Enter.
  2. Click Headers Defined.
    The log messages that match the defined header appear.

  1. Below the log message, click Create.
    The message details appear in the Messages tab.
  2. You can change the default name MSG1 to match the message ID. For this example, we changed it to 3000-0148.

  1. To define how to parse this message:
    1. Select “Deny” and press Ctrl+K. Type ACTION.
    2. Select “0-External” and press Ctrl+K. Type SINTERFACE.
    3. Select “Firebox” and press Ctrl+K. Type DINTERFACE.
    4. Select “udp” and press Ctrl+K. Type PROTOCOL.
    5. Select the first IP address and press Ctrl+K. Type SADDR.
    6. Select the second IP address and press Ctrl+K. Type DADDR.
    7. Select the first port and press Ctrl+K. Type SPORT.
    8. Select the second port and press Ctrl+K. Type DPORT.
    9. Select “Unhandled External Packet-00” and press Ctrl+K. Type RULENAME.

  1. There are three additional parameters to define. In our example, we label these FLD, FLD1, FLD2.
    1. Select the first field and press Ctrl+K. Type FLD.
    2. Select the second field and press Ctrl+K. Type FLD1.
    3. Select the third field and press Ctrl+K. Type FLD2.
  2. From the Event Category drop-down list, select Network.Denied Connections.

  1. Select File > Export Parser.
  2. Specify a file name. Click Save.