Windows Collection in RSA NetWitness® Platform
NetWitness Platform provides several ways to collect logs from Microsoft Windows machines. Each method has advantages and disadvantages, as well as different methods of configuration.
Basically, NetWitness Platform provides the following ways to collect Windows logs:
- Windows Remote Management (WinRM): RSA provides a Powershell script, winrmconfig, that you can use to automate much of the configuration process.
- Intersect Alliance Snare Agent: a third-party software tool that can collect audit log data from Windows
- Adiscon EventReporter: third-party software that provides centralized monitoring and reporting for Windows event log records
- NetWitness Endpoint Agent for Windows: you can install Endpoint Agents on each of your Windows machines, which can monitor the behavior of all Windows endpoints in your network.
- Windows Legacy: the legacy collector is used to collect Windows logs from Windows Servers up to 2003.
The following table describes details for each option: use these details to help determine how you choose to collect Windows Logs in your environment.
For the details on how to configure and collect logs using each of these methods, please see the individual guide for that method:
- WinRM Configuration: https://community.rsa.com/docs/DOC-43306
- Snare Agent: https://community.rsa.com/docs/DOC-40247
- NXLog: https://community.rsa.com/docs/DOC-40247
- Event Reporter: https://community.rsa.com/docs/DOC-40247
- Endpoint Agent: https://community.rsa.com/docs/DOC-101884
- Windows Legacy: https://community.rsa.com/docs/DOC-75593