RSA Netwitness gives you the ability to use remote Virtual Log Collectors (VLC) to be able to reduce your footprint and reduce the amount of ports required. RSA Netwitness can leverage different mechanisms to retrieve (Pull) or send (Push) the log from or to a log collector.
Multiple customers and RSA partners will use the VLC to be able to send the logs from a remote location to a cloud or centralized infrastructure behind one or multiple firewalls in an isolated network. In an isolated network, the VLC won't have any route to this central location and the following article will help you configure your platform properly.
Before deploying your VLC, verify that the host configuration for your head unit is set to nw-node-zero :
When this is done, deploy your VLC in your virtual infrastructure and launch the nwsetup-tui to continue the installation. When the setup asks you for the IP of the Node Zero enter the external IP of your head unit. For example, in an isolated network a firewall will control any communication to the isolated network:
(192.168.0.x) LAN Corpo --> Firewall Wan Interface (192.168.0.100) --> Firewall Lan interface (Isolated Network 10.60.130.1) --> Netwitness Head unit (10.60.130.100)
NOTE: You need to open the required ports for this installation in your firewall. You can refer to the official documentation related to network/port requirements at the following link : Deployment: Network Architecture and Ports
In this example, the Node Zero external IP will be 192.168.0.100 and when completing the setup, make sure you are using the external Node Zero IP (Firewall WAN Interface for this isolated network).
When this is done, launch the install process on the VLC and after several minutes the VLC will be up and running:
Next, we need to configure the VLC to send the logs to the log decoder behind the Firewall:
During this process, the operation will work but the IP will be the internal IP of the log decoder and we need to change this information to re-establish the communication.
We need to modify the shovel.conf file to be able to send our logs to the log decoder using the same process for this isolated network. To facilitate the process you can add another IP to your firewall and configure a one to one NAT for your log decoder. For this example, we have a one to one NAT for the log decoder using the following IP (192.168.0.101) on the external interface of the firewall.
The shovel_confing file is located on the VLC at the following path:
Connect to your VLC using SSH and edit the file and change the IP to the external IP of your Firewall for your isolated network:
When this is completed reboot your VLC and in the RSA Netwitness UI you will have the green dot confirming that the communication is working: