Eric Partington

Bulk Operations - Windows Legacy Cleanup

Blog Post created by Eric Partington Employee on Nov 11, 2016

Still got Windows Legacy collectors kicking around collecting logs ? 

Moving gradually to less systems being collected from that service and moving to WinRM and other windows log collections ? 

How do you remove entries in bulk from the windows legacy collector ?


  1. Once you are logged into RSA NW locate the Windows Legacy collector > Config > Event Sources > <DomainToRemoveFrom>
  2. Select the "all" checkbox to capture all hosts and click Export Source so you have a backup of the configuration before continuing.

  1. Determine the  list of the Hosts to remove from the configuration on that WLC and that Domain.
  2. There are a number of ways to perform bulk operations from the command line but today let's use the curl method.
  3. The basic method of using Curl (to test) is to modify the following line to suit your environment to test the login method and port connectivity
    1. curl -v -k -u <USERNAME>:<PASSWORD> "http://<WLCSERVERIP/WLCDOMAINNAME>:50101/logcollection/windowslegacy/eventsources/windows/<DOMAIN>?msg=ls&force-content-type=text/plain&expiry=600"
    2. This will print the output of the hosts for the DOMAIN entry on that WLC to verify that you have the right username/permissions and domain to perform the delete later on
  4. If that tests out good now you can create a shell script with one entry for each host you want to delete from the domain and WLC.
    1. curl -v -k -u <USERNAME>:<PASSWORD>"http://<WLCSERVERIP/WLCDOMAINNAME>:50101/logcollection/windowslegacy/eventsources/windows/<DOMAIN>?msg=delete&force-content-type=text/plain&expiry=600&name=<EVENTSOURCENAMETODELETE>
  5. You can use excel to create a template for the delete structure and concat columns togther to create the output (one per line).
  6. Save the output as a .sh (shell script)
  7. Move to a linux box / SA/ NW appliance to run
  8. Make executable and run
  9. Output will be 200 Ok for successful deletion (< HTTP/1.1 200 OK)