This topic describes how NetWitness Platform performs log collection.
How to Deploy Log Collection
You can deploy Log Collection according to needs and preferences of your enterprise. This includes deploying Log Collection across multiple locations and collect data from varying sets of event sources. You do this by setting up a Local Collector with one or many Remote Collectors.
Components of Log Collection
The following figure shows all the components involved in event collection through the NetWitness Platform Log Collector.
Local and Remote Collectors
In this scenario, log collection from various protocols like Windows, ODBC, and so on, is performed through both the Remote Collector and Log Collector service. If the log collection is done by the Local Collector, it is forwarded to the Log Decoder service, just like the local deployment scenario. If the log collection is done by a Remote Collector, there are two methods in which these are transferred to the Local Collector:
- Pull Configuration - From a Local Collector, you select the Remote Collectors from which you want to pull events.
- Push Configuration - From a Remote Collector, you select the Local Collector to which you want to push events.
You can configure one or more Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from one or more Remote Collectors.
Additionally, you can set up a chain of Remote Collectors for which you can configure:
- One or more Remote Collectors to push event data to a Remote Collector.
- A Remote Collector to pull event data from one or more Remote Collectors.
The following figure illustrates how the Local and Remote Collectors interact to collect events from all of your locations.
Windows Legacy Remote Collector
The RSA NetWitness® Platform Windows Legacy Collector is a Microsoft Windows based remote log collector (RC) which can be installed on a Windows domain.
It supports collection from:
- Windows 2003 and earlier event sources
- NetApp ONTAP host evt files
The following figure illustrates the deployment required to collect events from Windows Legacy event sources.