Windows Legacy Collection: The Basics

Document created by RSA Information Design and Development Employee on Jul 23, 2016Last modified by RSA Information Design and Development Employee on Sep 14, 2016
Version 4Show Document
  • View in full screen mode

This topic tells you how the Windows Legacy collection protocol works, how you deploy it, and gives you a high-level description of how you configure this protocol.

How Legacy Windows and NetApp Collection Works

You use the Windows Legacy collection protocol to configure Security Analytics to collection events from:

  • Legacy Microsoft Windows event sources (Window 2003 and earlier event sources)
  • NetApp event sources

Window 2003 and Earlier Event Sources

Legacy Windows event sources are older Windows versions (such as Windows 2000 and Window 2003).  The Windows Legacy collection protocol collects from Windows event sources that are already configured for enVision collection without having to reconfigure them. You set up these event sources under the windows event source type. 

NetApp Event Sources

NetApp appliances running Data ONTAP support a native auditing framework that is similar to Windows Servers. When configured, this auditing framework generates and saves audit events in Windows .evt file format. The Windows Legacy collection protocol supports collection of events from such NetApp .evt files.  You set up these event sources under the netapp_evt event source type. 

The NetApp Data ONTAP appliance is configured to generate CIFS Auditing events and save them periodically as .evt files in a format that includes the timestamp in the filename. Refer to the NetApp Event Source configuration documentation on SecurCare Online (SCOL) for details. The collection protocol saves the timestamp of the last processed .evt filename to keep track of collection status

Net App Specific Parameters

Most of the parameters that you maintain in Add/Edit Source dialog apply to both Windows Legacy and Net App events sources.

The following two parameters are unique to NetApp event sources.

  • Event Directory Path - The NetApp appliance generates event data and saves it in .evt files in a shareable directory on the NetApp appliance. Security Analytics requires you to specify this directory path in the Event Directory Path parameter
  • Event File Prefix - Similar to the Event Directory Path, Security Analytics requires you to specify the prefix (for example, adtlog.) of the event data .evt files so that Security Analytics can process this data.

In each polling cycle, Security Analytics browses the configured NetApp shared path for the .evt files that you identified with the Event Directory Path and Event File Prefix parameters. Security Analytics:

  • Sorts Files matching the event-file-prefix.YYMMDDhhmmss.evt format in ascending order.
  • Uses the timestamp of the last file processed to determine the files that still need processing. If Security Analytics finds a partially processed file, it skips the events already processed.

Deployment Scenario

The Windows Legacy collection protocol collects event data from Windows 2003 or earlier, and NetApp ONTAP appliance, event sources. The Windows Legacy Remote Collector is the SA Legacy Windows Collector installed on physical or virtual Windows 2008 64-bit server in your event source domain.


Configure Windows Legacy Collection Protocol in Security Analytics

You configure to the Log Collector to use Windows Legacy collection for an event source in the event Source tab of the Log Collector parameter view.  The following figure the basic workflow for configuring an event source for Windows Legacy Collection in Security Analytics.  Please refer to: