Log Collection: Basics

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Jul 9, 2019
Version 14Show Document
  • View in full screen mode

How Log Collection Works

The Log Collector service collects logs from event sources throughout the IT environment in an organization and forwards the logs to other NetWitness Platform components. The logs and the descriptive content are stored as meta data for use in investigations and reports.

Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. In most cases, your Information Technology (IT) team configures event sources to send their logs to the Log Collector service and the NetWitness Platform administrator configures the Log Collector  service to poll event sources and retrieve their logs. As a result, the Log Collector receives all logs in their original form.

Collection Protocols

RSA NetWitness Platform can collect logs from a wide variety of event sources. When you are configuring log collection for a specific event source, you need to know, first and foremost, the protocol that is used to collect the logs.

Collection ProtocolDescription
Check Point

Collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs. For details, see Configure Check Point Event Sources in NetWitness Platform.


Collects events from log files. Event sources generate log files that are transferred using a secure file transfer method to the Log Collector service.

For details, see Configure File Event Sources in NetWitness Platform.


Accepts events from Netflow v5 and Netflow v9. For details, see Configure Netflow Event Sources in NetWitness Platform.


Collects events from event sources that store audit data in a database using the Open Database Connectivity (ODBC) software interface. For details, see Configure ODBC Event Sources in NetWitness Platform.


The Plugins collection is a generic collection framework for collecting events using external scripts written in other languages. RSA currently provides collection for Amazon Web Services (AWS) CloudTrail and Microsoft Azure.

Customers can use this framework to develop their own collection protocols.


Collects Intrusion Detection System (IDS) and Intrusion Prevention Service (IPS) messages.
For details, see Configure SDEE Event Sources in NetWitness Platform.


Accepts SNMP traps. For details, see Configure SNMP Event Sources in NetWitness Platform.


Accepts messages from event sources that issue syslog messages. For details, see Configure Syslog Event Sources.

Note: You do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors.


Collects events from a VMware virtual infrastructure. For details, see Configure VMware Event Sources in NetWitness Platform.


Collects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008. For details, see Configure Windows Event Sources in NetWitness Platform.

Windows Legacy

Collects events from:

  • Older Windows versions such as Windows 2000 and Window 2003 and collects from Windows event sources that are already configured for enVision collection without having to reconfigure them.
  • NetApp ONTAP appliance event source so that you can now collect and parse NetApp evt files.
  • For more information, see.Windows Legacy and NetApp Collection Configuration.

Note: You install the NetWitness Platform Windows Legacy Collector on a physical or virtual Windows 2008 R2 SP1 64-Bit server using the SALegacyWindowsCollector-version-number.exe.

Previous Topic:Configure Certificates
Next Topic:Basic Procedure
You are here
Table of Contents > Log Collection Basics