• Support
  • Forums
  • Blogs

Plugin working but event only in security events

tcaetanotcaetano

New Life Form
So i configured my plugin and it works, i can see the events in "analysis >> security events (SEIM)>> filter by plugin"

for some events i was able to configure source ip, normalize_date and username.

my question is..  how to make these events appear under "environment >> assets >> 'my asset in question' >> events " 

is there any data that has to match in order to assign that event to my asset??


Share post:

Best Answers

  • Answer ✓
    tcaetano,

    The source of an event is not the source of the log data, but the source of the activity. 

    In such events are associated with assets by source and destination address of the event. If your events are parsing src/dst IP, then you should see the events associated with the appropriate assets.
    tcaetano
  • Answer ✓
    @tcaetano yes, you can, there's only a slight mistake on how you did it, remove the "{" "}", for example...

    src_ip=100.100.100.100



    tcaetano

Answers

  • some events do parse source and destination, but none of them has the ip of the asset itself.

    can the scr/dst ip be set by force??

    like  "src_ip={x.x.x.x}" ???

    i have tried that and it keeps showing the ossim server ip as destination (except when my destination is parsed)Captura
  • Ok, i will try that.

    thx a lot 
Sign In or Register to comment.