Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2018 > October > 10

RSA Netwitness gives you the ability to use remote Virtual Log Collectors (VLC) to be able to reduce your footprint and reduce the amount of ports required. RSA Netwitness can leverage different mechanisms to retrieve (Pull) or send (Push) the log from or to a log collector.

 

Multiple customers and RSA partners will use the VLC to be able to send the logs from a remote location to a cloud or centralized infrastructure behind one or multiple firewalls in an isolated network. In an isolated network, the VLC won't have any route to this central location and the following article will help you configure your platform properly.

 

Before deploying your VLC, verify that the host configuration for your head unit is set to nw-node-zero :

 

When this is done, deploy your VLC in your virtual infrastructure and launch the nwsetup-tui to continue the installation.  When the setup asks you for the IP of the Node Zero enter the external IP of your head unit. For example, in an isolated network a firewall will control any communication to the isolated network:

 

(192.168.0.x) LAN Corpo --> Firewall Wan Interface (192.168.0.100) --> Firewall Lan interface (Isolated Network 10.60.130.1) --> Netwitness Head unit (10.60.130.100)

 

NOTE: You need to open the required ports for this installation in your firewall. You can refer to the official documentation related to network/port requirements at the following link : Deployment: Network Architecture and Ports 

 

In this example, the Node Zero external IP will be 192.168.0.100 and when completing the setup, make sure you are using the external Node Zero IP (Firewall WAN Interface for this isolated network).

 

When this is done, launch the install process on the VLC and after several minutes the VLC will be up and running:

 

Next, we need to configure the VLC to send the logs to the log decoder behind the Firewall:

 

During this process, the operation will work but the IP will be the internal IP of the log decoder and we need to change this information to re-establish the communication. 

 

We need to modify the shovel.conf file to be able to send our logs to the log decoder using the same process for this isolated network. To facilitate the process you can add another IP to your firewall and configure a one to one NAT for your log decoder. For this example, we have a one to one NAT for the log decoder using the following IP (192.168.0.101) on the external interface of the firewall.

 

The shovel_confing file is located on the VLC at the following path:

/etc/rabbitmq

 

Connect to your VLC using SSH and edit the file and change the IP to the external IP of your Firewall for your isolated network:

 

When this is completed reboot your VLC and in the RSA Netwitness UI you will have the green dot confirming that the communication is working:

 

Context menu actions have long been a part of the RSA NetWitness Platform. v11.2 brought a few nice touches to help manage the menu items as well extend the functions into more areas of the product.

 

See here for previous information on the External Lookup options:

Context Menus - OOTB Options 

 

And these for Custom Additions that are useful to Analysts:

Context Menu - Microsoft EventID 

Context Menu - VirusTotal Hash Lookup 

Context Menu - RSA NW to Splunk 

Context Menu - Investigate IP from DNS 

Context Menu - Cymon.io 

 

As always access to the administration location is located here:

Admin > System > Context Menu Actions

 

The first thing you will notice is there is a bit of a different look since a good bit of cleanup has been done in the UI.

 

Before we start trimming the menu items... here is what it looks before the changes:

Data Science/Scan for Malware/Live Lookup are all candidates for reduction.

 

When you open an existing action or create a new one you will also see some new improvements.

No longer just a large block of text that can be edited if you know what and where to change but a set of options to change to implement your custom action (or tweak existing ones)

 

You can switch to the advanced view to get back to the old freeform world if you want to.

 

Clean up

To clean up the menu for your analysts you might consider disabling these items if you don't have a warehouse from RSA installed

Sort by Group Name, Locate the Data Science group and disable all the rules for them (4)

Disable any of the External lookup items that are not used or not important for your analysts

Scan for Malware - are you logs only? Malware not needed, are you packets or endpoint but don't use Malware?

Live Lookup - mostly doesn't provide value to analysts

Now you should have a nice clean right click action menu available to investigators to do their job better and faster.

Filter Blog

By date: By tag: