This topic tells how to perform the initial setup of Local Collectors and Remote Collectors.
Verify that the Log Decoder is set up:
- is capturing data.
- has the current content loaded.
- is properly licensed.
Roles of Local and Remote Collectors
A Local Collector (LC) is a Log Collector service running on a Log Decoder host. In a local deployment scenario, the Log Collector service is deployed on a Log Decoder host, with the Log Decoder service. Log collection from various protocols like Windows, ODBC, and so on, is performed through the Log Collector service, and events are forwarded to the Log Decoder service. The Local Collector sends all collected event data to the Log Decoder service.
You must have at least one Local Collector to collect non-Syslog events.
A Remote Collector (RC), also referred to as a Virtual Log Collector (VLC), is a Log Collector service running on a stand-alone Virtual Machine. Remote Collectors are optional and they must send the events they collect to a Local Collector. Remote Collector deployment is ideal when you have to collect logs from remote locations. Remote Collectors compress and encrypt the logs before sending them to a Local Collector.
Deploying and Configuring Log Collection
The following figure illustrates the basic tasks you must complete to deploy and configure Log Collection. To deploy Log Collection, you need to set up a Local Collector. You can also deploy one or more Remote Collectors. After you deploy Log Collection, you need to configure the events sources in NetWitness Suite and on the events sources themselves. The following diagram shows the Local Collector with one Remote Collector that pushes events to the Local Collector.
The Local Collector is the Log Collector service running on the Log Decoder host.
A Remote Collector is the Log Collector service running on a virtual machine or Windows server in a remote location.
- Configure collection protocols in NetWitness Suite.
- Configure each event source to communicate with the NetWitness SuiteLog Collector.
Adding Local Collector and Remote Collector to NetWitness Suite
To add a Local Collector and Remote Collector to NetWitness Suite:
- Go to ADMIN > Services.
The Add Service dialog box is displayed.
- Define the details of the Log Collection service.
- Select Test Connection to ensure that your Local or Remote Collector is added.
Configuring Log Collection
You choose the Log Collector—that is a Local Collector (LC) or Remote Collector (RC)—for which you want to define parameters in the Services view. The following figure shows how to navigate to the Services view, select a Log Collector service, and display the configuration parameter interface for that service.
- Go to ADMIN > Services.
Select a Log Collection service.
- Click under Actions and select View > Config to display the Log Collection configuration parameter tabs.
- Define global Log Collection parameters in the General tab.
- Local Collector, NetWitness Suite displays the Remote Collectors tab. Select the Remote Collectors from which the Local Collector pulls events in this tab.
- Remote Collector, NetWitness Suite displays the Local Collectors. Select the Local Collectors to which the Remote Collector pushes events in this tab.
- Edit configuration files as text files in the Files tab.
- Define collection protocol parameters in the Event Sources tab.
- Define the lockbox, encryption keys, and certificates in the Settings tab.
- Define Appliance Service parameters in the Appliance Service Configuration tab.
Data Flow Diagram
You use the log data collected by the Log Collector service to monitor the health of your enterprise and to conduct investigations. The following figure shows you how data flows through NetWitness Suite Log Collection to Investigation.