Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Xavier Trepanier-Taupier

RSA Netwitness gives you the ability to use remote Virtual Log Collectors (VLC) to be able to reduce your footprint and reduce the amount of ports required. RSA Netwitness can leverage different mechanisms to retrieve (Pull) or send (Push) the log from or to a log collector.


Multiple customers and RSA partners will use the VLC to be able to send the logs from a remote location to a cloud or centralized infrastructure behind one or multiple firewalls in an isolated network. In an isolated network, the VLC won't have any route to this central location and the following article will help you configure your platform properly.


Before deploying your VLC, verify that the host configuration for your head unit is set to nw-node-zero :


When this is done, deploy your VLC in your virtual infrastructure and launch the nwsetup-tui to continue the installation.  When the setup asks you for the IP of the Node Zero enter the external IP of your head unit. For example, in an isolated network a firewall will control any communication to the isolated network:


(192.168.0.x) LAN Corpo --> Firewall Wan Interface ( --> Firewall Lan interface (Isolated Network --> Netwitness Head unit (


NOTE: You need to open the required ports for this installation in your firewall. You can refer to the official documentation related to network/port requirements at the following link : Deployment Guide: Network Architecture and Ports 


In this example, the Node Zero external IP will be and when completing the setup, make sure you are using the external Node Zero IP (Firewall WAN Interface for this isolated network).


When this is done, launch the install process on the VLC and after several minutes the VLC will be up and running:


Next, we need to configure the VLC to send the logs to the log decoder behind the Firewall:


During this process, the operation will work but the IP will be the internal IP of the log decoder and we need to change this information to re-establish the communication. 


We need to modify the shovel.conf file to be able to send our logs to the log decoder using the same process for this isolated network. To facilitate the process you can add another IP to your firewall and configure a one to one NAT for your log decoder. For this example, we have a one to one NAT for the log decoder using the following IP ( on the external interface of the firewall.


The shovel_confing file is located on the VLC at the following path:



Connect to your VLC using SSH and edit the file and change the IP to the external IP of your Firewall for your isolated network:


When this is completed reboot your VLC and in the RSA Netwitness UI you will have the green dot confirming that the communication is working:


Health and Wellness leverages RabbitMQ to be able to collect the actual status of any components of the RSA Netwitness platform. After changing an IP on a component the Health and Wellness keep communicating with the previous IP. To be able to resolve this issue you need to do the following:


Open your browser and log in to the RabbiMQ Management interface: https://IP_of_your_head_unit:15671

Log in using the deploy_admin account 


When logged in, go to the Admin Tab


And in the Admin Tab, Select the Federation Upstreams on the right 



Identify the wrong upstream and take note of the virtual host, URI, Expires and the Name of this upstream


Create a new upstream and enter the right information for the URI, with the new IP, the Name, the Virtual Host and the Expires:



When adding this new upstream, it will match the upstream name and automatically replace the one with the wrong information.


And now the device is in a ready state and the health status changed from RED to GREEN

Virtualization is now an industry standard and RSA NetWitness offers a 100% virtual deployment. The RSA NetWitness Archiver module offers the possibility of using multiple virtual hard disks to increase the retention of the platform. To be able to increase the available space you will need to do the following:


 The first step is to add another VMDK to your Virtual RSA NetWitness Archiver :



Change the size of the Virtual Hard Disk to meet your requirement:

We do recommend to use different SCSI controller per VMDK. In this case, SCSI (0:1) is used by our operating system for the second VMDK, we will use SCSI (1:1):

Press Finish to complete the process:

When the virtual hard disk has been added to our virtual Archiver, we need to add this hard disk to our LVM. We will need to identify our new hard disk using the fdisk -l command. In our case, in the virtual hard disk is /dev/sdb

Create the new partition on the /dev/sdb disk with the following command fdisk /dev/sdb

Press n to create a new partition and p for a primary partition

Type w to write the configuration to the partition table


We need to create a Physical Volume for our new partition using the following command pvcreate /dev/sdb1 


We need to create a Volume Group for our new partition using the following command vgcreate vg_customer /dev/sdb1. The name of the Volume Group can be changed to meet your requirement


We need to create a Logical Volume for our new partition using the following command lvcreate --name customer1_lvm -l 100%FREE vg_customer. The name of the Logical Volume can be changed to meet your requirement


RSA Netwitness leverage XFS for best performance. Our new partition needs to be format to XFS using the following command : mkfs.xfs /dev/mapper/vg_customer-customer1_lvm . The LVM name can differ base on your use case.

Create your folder for the mount point

Mount your LVM in your folder created earlier

Validate your mount point with the df command


Edit your /etc/fstab file with your mount point information


When your LVM is created and available to the operating system , we need to add this storage to your RSA NetWitness Archiver. In our case, we are adding 500 GB to the hot storage. Press the gear button   for the hot storage.


Add your mount point to the hot storage and press save


Our hot storage have now 639.89 GB


We will create a new Collection with 450 GB for our Customer1.  


Once the Collection is created, RSA Netwitness will automatically create the following directories for each type of data. 

Vulnerabilities give headaches to security teams. RSA aims to improve the user experience and minimize the time of response to these types of attacks. When publishing the Meltdown / Spectre vulnerability, Microsoft released updates to be installed on all Windows operating systems.


However, we have created an Instant Indicator of Compromise (IIOC) to perform validation if the update was installed on each endpoint regardless of the version of the operating system.


When the IIOC does not detect this update on the endpoint, it will trigger:



IIOC configuration:



For your convenience, you can download this IIOC below. 

Filter Blog

By date: By tag: