Windows Legacy and NetApp Collection Configuration Guide

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This Windows Legacy protocol collects events from Windows Legacy (Windows 2003 or earlier event sources) and CIFS Auditing events from NetApp ONTAP event sources.

You must deploy Log Collection, that is set up a Local Collector and Windows Legacy Remote Collector, before you can configure the Windows Legacy collection protocol.

How Legacy Windows and NetApp Collection Works

You use the Windows Legacy collection protocol to configure NetWitness Suiteto collection events from:

  • Legacy Microsoft Windows event sources (Window 2003 and earlier event sources)
  • NetApp event sources

Window 2003 and Earlier Event Sources

Legacy Windows event sources are older Windows versions (such as Windows 2000 and Window 2003).  The Windows Legacy collection protocol collects from Windows event sources that are already configured for enVision collection without having to reconfigure them. You set up these event sources under the windows event source type. 

NetApp Event Sources

NetApp appliances running Data ONTAP support a native auditing framework that is similar to Windows Servers. When configured, this auditing framework generates and saves audit events in Windows .evt file format. The Windows Legacy collection protocol supports collection of events from such NetApp .evt files.  You set up these event sources under the netapp_evt event source type. 

The NetApp Data ONTAP appliance is configured to generate CIFS Auditing events and save them periodically as .evt files in a format that includes the timestamp in the filename. Refer to the Network Appliance Data ONTAP Event Source Configuration Guide on RSA Link for details. The collection protocol saves the timestamp of the last processed .evt filename to keep track of collection status.

Net App Specific Parameters

Most of the parameters that you maintain in Add/Edit Source dialog apply to both Windows Legacy and Net App events sources.

The following two parameters are unique to NetApp event sources.

  • Event Directory Path - The NetApp appliance generates event data and saves it in .evt files in a shareable directory on the NetApp appliance. NetWitness Suite requires you to specify this directory path in the Event Directory Path parameter
  • Event File Prefix - Similar to the Event Directory Path, NetWitness Suite requires you to specify the prefix (for example, adtlog.) of the event data .evt files so that NetWitness Suite can process this data.

In each polling cycle, NetWitness Suite browses the configured NetApp shared path for the .evt files that you identified with the Event Directory Path and Event File Prefix parameters. NetWitness Suite:

  • Sorts Files matching the event-file-prefix.YYMMDDhhmmss.evt format in ascending order.
  • Uses the timestamp of the last file processed to determine the files that still need processing. If NetWitness Suite finds a partially processed file, it skips the events already processed.

Deployment Scenario

The Windows Legacy collection protocol collects event data from Windows 2003 or earlier, and NetApp ONTAP appliance, event sources. The Windows Legacy Remote Collector is the SA Legacy Windows Collector installed on physical or virtual Windows 2008 64-bit server in your event source domain.

Windows Legacy Multi-Domain workflow.

You are here
Table of Contents > Collection Protocols > Windows Legacy and NetApp Collection Configuration Guide

Attachments

    Outcomes