RSA Envision and NGXR65

[skipper]

Hi,

I have a SPLAT StandAlone NGXR65 HFA50 and a Envision Server.
There is no documentation in checkpoint support and i'd like
to use Envision to receive logs.
I have been trying with no success.
Another thing that had caught my attention was that if the node is added as a checkpoint object, it appears in Smart View Monitor, but disconnected.
Should the Envision, as an Opsec Device, be shown in Smart View monitor?
I have a manual from RSA but it doesnt says anything about it.
What do i need to make the management send the logs to my envision server?? and to be shown online in Smart View Monitor?

I hope i was clear enough.

Thanks in advance,

Regards, Lucas.

[bmolnar]

For an OPSEC connection, you have to add a new application under the "Servers and OPSEC Applications" tab which is the 4th tab in the left-pane. (Looks like a server and a gear) You should also add the server name & IP as a regular host object because you'll need it for the OPSEC set up screen. From there, you can mark LEA and establish SIC communication. The enVision is listed under Network_Intelligence. On your Envision Server you should hopefully have options to accept an LEA connection from your SPLAT server.

[skipper]

Ok,

I need to establish SIC, there is no such option on Envision or at least i can't find it. Any advice??

Thanks in advance.

[bmolnar]

I've never used the RSA Envision product before, but hopefully they provide additional documentation on their website. It might be as easy as editing a few files on the Envision server.

Here are steps on how to set it up with Splunk which may or may not help.
Community:Configure OPSEC LEA input - Splunk Wiki
Personally, I didn't have to edit the fwopsec.conf file to get my LogLogic device working via LEA and CPMI.

[EJSTL]

You won't see the envision server in monitor; you will just create a generic host object representing its ip for use in a rule and to associate to the opsec object (which is not a network object and is not listed in the objects tree).

Just follow the RSA pdf word for word and you shouldn't have any issues pulling logs from your management server via LEA.

[EJSTL]

Quick note; SIC is going to be established under the "Manage LEA Client Service" screen from the envision UI. Should all be in the RSA configuration guide.