This guide describes the high-level steps and subtasks for setting up and configuring log collection for event sources that include:
What Log Collection does, how it works from a high level, and provides high-level deployment diagrams.
- How to start collecting events.
- Where to find instructions to set up more complex deployments.
- How to start any collection protocol.
- What the structure of the Log Collection Configuration User Interface is.
- Which tools to use to troubleshoot Log Collection issues and lists global troubleshooting instructions.
- How to fine tune and customize Log Collection in your environment.
How to configure individual collection protocols. Instructions are in the individual Log Collection sections.
This workflow depicts the basic tasks needed to start collecting events through Log Collection.
At a high level, these are the procedures you must follow for log collection:
Add local and remote collectors to RSA NetWitness Suite.
Set up a Log Collector locally on a Log Decoder (that is a Local Collector). You can also set up Log Collectors in as many remote locations (that is Remote Collectors) as you need for your enterprise. For details, see Basic Implementation.
Download the latest content from Live. This is a task that you perform periodically, as the content provided on Live is updated regularly.
LIVE is the Content Management System for RSA NetWitness® Suite, from which you download the latest content. The two resource types you use to download Log Collection content are:
- RSA Log Collector - content enabling the collection of event source types.
- RSA Log Device - the latest supported event source parsers.
You can also subscribe to content on Live. For details, see the Live Services Management Guide.
Configure Settings: set up the lockbox and Certificates.
Configure Event Sources.
You configure all the event sources on your network to send their log information to RSA NetWitness Suite. Whenever you add new event sources, you need to perform this procedure as well. All event source configuration guides are found in the RSA Supported Event Sources space in RSA Link.
- Start and stop services for configured protocols. Occasionally, you may be required to stop and restart services, based on new event sources that you add to RSA NetWitness Suite.
Verify that Log Collection is working.
Whenever you set up a new event source or add a new collection protocol, you should verify that the correct logs are being sent to RSA NetWitness Suite.