How Log Collection Works
The Log Collector service collects logs from event sources throughout the IT environment in an organization and forwards the logs to other NetWitness Platform components. The logs and the descriptive content are stored as meta data for use in investigations and reports.
Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. In most cases, your Information Technology (IT) team configures event sources to send their logs to the Log Collector service and the NetWitness Platform administrator configures the Log Collector service to poll event sources and retrieve their logs. As a result, the Log Collector receives all logs in their original form.
RSA NetWitness Platform can collect logs from a wide variety of event sources. When you are configuring log collection for a specific event source, you need to know, first and foremost, the protocol that is used to collect the logs.
|Check Point|| |
Collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs. For details, see Configure Check Point Event Sources in NetWitness Platform.
Collects events from log files. Event sources generate log files that are transferred using a secure file transfer method to the Log Collector service.
For details, see Configure File Event Sources in NetWitness Platform.
Accepts events from Netflow v5 and Netflow v9. For details, see Configure Netflow Event Sources in NetWitness Platform.
Collects events from event sources that store audit data in a database using the Open Database Connectivity (ODBC) software interface. For details, see Configure ODBC Event Sources in NetWitness Platform.
The Plugins collection is a generic collection framework for collecting events using external scripts written in other languages. RSA currently provides collection for Amazon Web Services (AWS) CloudTrail and Microsoft Azure.
Customers can use this framework to develop their own collection protocols.
Collects Intrusion Detection System (IDS) and Intrusion Prevention Service (IPS) messages.
|SNMP Trap|| |
Accepts SNMP traps. For details, see Configure SNMP Event Sources in NetWitness Platform.
Accepts messages from event sources that issue syslog messages. For details, see Configure Syslog Event Sources.
Collects events from a VMware virtual infrastructure. For details, see Configure VMware Event Sources in NetWitness Platform.
Collects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008. For details, see Configure Windows Event Sources in NetWitness Platform.
|Windows Legacy|| |
Collects events from: