Log Collection Basics

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

How Log Collection Works

The Log Collector service collects logs from event sources throughout the IT environment in an organization and forwards the logs to other NetWitness Suite components. The logs and the descriptive content are stored as meta data for use in investigations and reports.

Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. In most cases, your Information Technology (IT) team configures event sources to send their logs to the Log Collector service and the NetWitness Suite administrator configures the Log Collector  service to poll event sources and retrieve their logs. As a result, the Log Collector receives all logs in their original form.

Collection Protocols

RSA NetWitness Suite can collect logs from a wide variety of event sources. When you are configuring log collection for a specific event source, you need to know, first and foremost, the protocol that is used to collect the logs.

                                                       
Collection ProtocolDescription
Check Point

Collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs. For details, see Configure Check Point Event Sources in NetWitness Suite.

File

Collects events from log files. Event sources generate log files that are transferred using a secure file transfer method to the Log Collector service.

For details, see Configure File Event Sources in NetWitness Suite.

Netflow

Accepts events from Netflow v5 and Netflow v9. For details, see Configure Netflow Event Sources in NetWitness Suite.

ODBC

Collects events from event sources that store audit data in a database using the Open Database Connectivity (ODBC) software interface. For details, see Configure ODBC Event Sources in NetWitness Suite.

Plugins

The Plugins collection is a generic collection framework for collecting events using external scripts written in other languages. RSA currently provides collection for Amazon Web Services (AWS) CloudTrail and Microsoft Azure.

Customers can use this framework to develop their own collection protocols.

SDEE

Collects Intrusion Detection System (IDS) and Intrusion Prevention Service (IPS) messages.
For details, see Configure SDEE Event Sources in NetWitness Suite.

SNMP Trap

Accepts SNMP traps. For details, see Configure SNMP Event Sources in NetWitness Suite.

Syslog

Accepts messages from event sources that issue syslog messages. For details, see Configure Syslog Event Sources for Remote Collector.

Note: You do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors.

VMware

Collects events from a VMware virtual infrastructure. For details, see Configure VMware Event Sources in NetWitness Suite.

Windows

Collects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008. For details, see Configure Windows Event Sources in NetWitness Suite.

Windows Legacy

Collects events from:

  • Older Windows versions such as Windows 2000 and Window 2003 and collects from Windows event sources that are already configured for enVision collection without having to reconfigure them.
  • NetApp ONTAP appliance event source so that you can now collect and parse NetApp evt files.
  • For more information, see .Windows Legacy and NetApp Collection Configuration.

Note: You install the NetWitness Suite Windows Legacy Collector on a physical or virtual Windows 2008 R2 SP1 64-Bit server using the SALegacyWindowsCollector-version-number.exe.

Previous Topic:Configure Certificates
Next Topic:Basic Procedure
You are here
Table of Contents > Log Collection Basics

Attachments

    Outcomes