Windows Legacy Collection Configuration for NetWitness Platform 11.x

Document created by RSA Information Design and Development on Apr 13, 2019Last modified by Melinda Zelenkov on May 3, 2019
Version 4Show Document
  • View in full screen mode

It supports collection from:

  • Windows 2003 and earlier event sources
  • NetApp ONTAP host evt files

This document contains the following sections:

Setup Requirements

This section provides the RSA NetWitness® Suite Legacy Windows Collector Setup requirements.

Caution: If you are installing or updating to version 11.x, in order to use the Security Analytics Legacy Windows Collector with NetWitness, you need to first install the following windows updates:

 

• KB2919355
• KB2919442
• KB2999226
• KB3173424

 

If these updates are not installed, you will get an error message, and the Legacy Windows Collector will not be installed.

To set up the RSA NetWitness ® Suite Legacy Windows Collector, you need:

  • Any physical or virtual Windows 2008 R2 SP1 64-Bit Server that can reach the Windows 2003 event source domains.
  • A minimum of 20% free disk space.  For example, you need at least 20 GB of free space if your system drive is 100 GB in size.

IMPORTANT: Do not install the Legacy Windows Collector on a domain controller.

 

Update the RSA NetWitness® Suite Legacy Windows Collector from 10.6.x to 11.x

This section tells you how to update the RSA NetWitness® Platform 10.6.x Legacy Windows Collector to 11.

To update the RSA NetWitness® Suite 10.6.x Legacy Windows Collector to 11 on a Windows 2008 R2 SP1 64-Bit server:

  1. Navigate to https://community.rsa.com/docs/DOC-83034 on RSA link. Click RSA NetWitness Logs & Packets 11.x - Legacy Windows Collector to download the ZIP archive.
  2. Unzip the downloaded file.
  3. Log on to a Windows 2008 machine.
  4. Copy NWLegacyWindowsCollector-version-number.exe to the Windows 2008 server.
  5. Right click on NWLegacyWindowsCollector-version-number.exe and select Run As Administrator.

    The Preparing to Install…. page of update installation wizard is displayed.

    After the update installation program extracts RSA NetWitness® Suite Legacy Windows Collector installation files, the Welcome page is displayed.

  6. Click Next.

    The License Agreement page is displayed.

  7. Read the License agreement carefully, select the I accept the terms in the license agreement radio button, and click Next.

    Before it starts the update, the wizard asks if you want to continue or cancel the installation of the update.

  8. Click OK to continue installing the update.
  9. Click Install.

    The Installation screens for the Legacy Windows Collector page is displayed.

    After the update installation completes, the Next button becomes active.

  10. Click Next.

    The Installation Completed page is displayed.

  1. (Optional) If you want to review a log of the update installation, select the Show the Windows Installer log checkbox.
  2. Click Finish.
  3. Reboot the machine.

This completes the update of the Legacy Windows Collector to RSA NetWitness® Platform 11.x.

Fresh Install 11.x Legacy Windows Collector

This section describes how to install the 11.x Legacy Windows Collector on a Windows 2008 R2 SP1 64-Bit server

To install the RSA NetWitness® Platform Legacy Windows Collector on a Windows 2008 R2 SP1 64-Bit server:

  1. Navigate to https://community.rsa.com/docs/DOC-83034 on RSA link. Click RSA NetWitness Logs & Packets 11.x - Legacy Windows Collector to download the ZIP archive.
  2. Unzip the downloaded file.
  3. Copy the NWLegacyWindowsCollector-version-number.exe to the Windows 2008 server.
  4. Right click on the NWLegacyWindowsCollector-version-number.exe and select Run As Administrator.

    The Welcome page of installation wizard is displayed.

  5. Click Next.

    The License Agreement page is displayed.

  6. Read the License agreement carefully, select the I accept the terms in the license agreement radio button, and click Next.

    The Ready to Install the Program page is displayed.

  7. Click Install.

    The Installation screens for the Legacy Windows Collector page are displayed.

    The Installation Completed page is displayed.

  8. (Optional) If you want to review a log of the installation, select the Show the Windows Installer log checkbox.
  9. Click Finish.
  10. Reboot the machine.

This completes the installation of the 11.x Legacy Windows Collector. Please refer to the Windows Legacy and NetApp Collection Configuration Guide on RSA Link for instructions on how to configure Legacy Windows collection in RSA NetWitness® Platform.

Troubleshooting for Fresh or Upgrade Install

Logs to Examine for Information

Refer to the following log files if you need to troubleshoot problems:

  • %systemDrive%\Netwitness\ng\logcollector\MessageBroker.log
  • %systemDrive%\Program Files\NwLogCollector\installlog.txt

Run C:\Program Files\NwLogCollector\ziplogfiles.vbs to generate the hostname_WLCversion_timestamp.zip that contains all the log files and other information needed for troubleshooting.

Issues with the Lockbox

When you create a lockbox password on a new Windows Legacy Collector, you might see the following error:

failed to set secure storage password: failed to create lockbox: The Lockbox or cryptography library could not be found.

This can occur if you are running Windows Legacy Collector version 11.x.

If you encounter this issue, download and install both of the following redistributable packages:

(Optional) Backup and Restore Legacy Windows Collector

This section tells you how to upgrade from 10.6.4 to NetWitness 11.x for the Legacy Windows Collector.

Note: You only need to do this if you are changing the Windows VM where you run the Windows Legacy Collector.

During upgrade to RSA NetWitness® Platform 11.x, the backup script for the Windows Legacy Collector is invoked automatically, and creates the 10.6.4 configuration and run-time backups. After the 11.x installation is completed, run the Restore script to restore the configuration and run-time files for the updated Windows Legacy Collection.

Restore the Windows Legacy Collection Backup after Upgrade

To restore the Windows Legacy Collection setup on a newly upgraded RSA NetWitness® Platform 11 platform:

  1. On the Windows Legacy Collector, open a command prompt window.
  2. Navigate to C:\Program Files\NwLogCollector, where the scripts are stored.
  3. Run the following commands for restoring a backup:

    • Backup configuration files: WLC-Restore.bat “Config-bkup_timestamp.zip”
    • Backup run-time files: WLC-Restore.bat “Runtime-bkup_timestamp.zip”
  4. Once the restore is completed, set the lockbox SSV to use the password that you created during 10.6.4 setup.

    1. In the Security Analytics menu, select Services, then select your Windows Legacy Collector and choose Explore.
    2. From the left navigation pane, expand logcollection > properties > crypto.
    3. Run the following command: op=setssv pw=password_for_10.6.x_lockbox, and hit Send.

Revert Windows Legacy Collection from 11.x Back to 10.6.4

To revert the Windows Legacy Collection setup from 11.x back to 10.6.4:

  1. Uninstall the 11.x Setup. Note the location of the backup folder created by the system during the uninstall procedure.
  2. Install the 10.6.4 version of the Windows Legacy Collector.
  3. Navigate to C:\Program Files\NwLogCollector, where the scripts are stored.
  4. Run the Restore script from backup folder present in C:\Program Files\NwLogCollector to restore the configuration and run-time setup on the 10.6.4 Windows Legacy Collector.

    • Backup configuration files: WLC-Restore.bat “Config-bkup_timestamp.zip”
    • Backup run-time files: WLC-Restore.bat “Runtime-bkup_timestamp.zip”
  5. Once the restore is completed, set the lockbox SSV to use the password that you created during 10.6.4 setup.

    1. In the Security Analytics menu, select Services, then select your Windows Legacy Collector and choose Explore.
    2. From the left navigation pane, expand logcollection > properties > crypto.
    3. Run the following command: op=setssv pw=password_for_10.6.x_lockbox, and hit Send.

Add a Windows Legacy Collector Host and Service in RSA NetWitness® Platform

For this version of the Windows Legacy Collector, RSA has provided a script that replaces the manual steps of adding a Windows Legacy Collector host and service in the NetWitness UI.

To create a Windows Legacy Collector Host and Service in NetWitness:

  1. SSH to your NetWitness server.
  2. Run the following command:

    wlc-cli-client --host-display-name hostDisplayName --service-display-name serviceDisplayName --host WLChostIPAddress --port 50101 --use-ssl false

    The parameters are explained below:

    • --host-display-name: the name for the host as it is displayed in the NetWitness Hosts page
    • --service-display-name: the name for the host as it is displayed in the NetWitness Services page
    • --host: the IP address for the Windows Legacy Collector
    • --port: the port NetWitness uses to communicate with the Windows Legacy Collector. The recommended value is 50101.
  3. You will be prompted to supply the following information:

    • Windows Log Collector REST Username and Windows Log Collector REST Password: you must supply admin credentials for the Windows Legacy Collector.
    • Security Server Username and Security Server Password: you must supply admin credentials for RSA NetWitness Suite.

When you complete this procedure, you should see the Windows Legacy Collector Host and Service as shown in the following screenshots.

 

You are here

Windows Legacy Collection

Attachments

    Outcomes