Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Guy Williams

RSA NetWitness Platform

3 Posts authored by: Guy Williams Employee

I'm pleased to announce that we have qualified and now support the ability for our Virtual Log Collector 10.6 to be installed in Amazon's AWS infrastructure.  This will allow customers to deploy VLC in AWS in order to collect logs from currently supported event sources and protocols.  This includes Amazon's CloudTrail as well as other supported event sources, such as operating systems, applications, and other infrastructure sources.  These logs will then be compressed and encrypted to be sent back to a corporate instance of Security Analytics.



The RSA Security Analytics AWS Configuration Guide can be found here.

Security Analytics 10.6 has new feature that will allow you to significantly reduce your storage footprint for long term log retention on the Archiver.  Selective Log Retention allows you to create 'buckets' for your logs and specify differing retention periods for those buckets.  This will allow you to create a bucket, or collection, for your compliance logs to keep, for example, for years.  You could create a bucket for your security relevant logs to keep for six months.  You could create a bucket for copious, low value logs to keep for weeks.


Previously, if you needed to keep compliance logs for years you had to keep all logs for years, whether you needed them or not.  By aging out less valuable logs in shorter time frames if frees up space for your important logs allowing you to significantly extend the retention period for those logs without adding storage.  You still have the options for Hot, Warm, and Cold storage with individually configurable settings per collection.




The easiest way to set up Selective Log Retention is configure rules to separate out your compliance regulation logs, such as with Event Source Groups or Device IP (device.ip), and set the appropriate, required retention period.  Next, find the bulk of the low value logs by either Event Source Type (device.type) or Message ID ( and give those the lowest acceptable retention period.  Lastly, configure the retention period on the default collection, which will contain all of the remaining logs.  Further configuration refinement can optimize storage even more.


Let us know what you think and how it works for you!


More information can be found on RSA Security Analytics Documentation under Security Analytics 10.6 > Data Privacy Management > References > Data Retention Tab - Archiver or Security Analytics 10.6 > Host and Services Configuration Guides > Archiver Configuration Guide > Configure Archiver > Step 3. Configure Archiver Storage and Log Retention > Configure Log Storage Collections.

Security Analytics 10.6 has a new beta feature that will allow SA to monitor your event sources collection and alarm or notify you when an event source falls below or exceeds a rate that is normal for that event source.  The goal is to take away the need to manually determine which event sources have similar rates, group those event sources, and create monitoring policies to match, significantly reducing the burden on system administrators.  It is enabled by default to alarm but not send notifications.


It takes about 5 days to build the baseline and will then start generating alarms whenever a device deviates from that baseline.  In the case in the screenshot below, this cisco router normally generates 333 events during 6:00 PM to 7:00 PM but we haven't received any events, which is 2.657 standard deviations below the normal.  The alarm shows up on the Administration -> Event Sources -> Alarms page.



You can enable email, syslog, or SNMP notifications once you determine the alarms aren't giving you false positives.  You can also tweak the Low and High standard deviations settings in order to tune it better to your environment.  Raising the standard deviations will make it less likely for an alarm to be generated.



Let us know what you think and how it works for you!


More information can be found on RSA Security Analytics Documentation under Security Analytics 10.6 > Event Source Management > Procedures > Configure Automatic Alerting

Filter Blog

By date: By tag: