Log Collection Config: Import, Export, and Edit Event Sources in Bulk

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This topic describes how to import, export, edit and test event sources in bulk.

You can use the bulk export option to export the event source details of your current set up and store it. This data can be imported in bulk when you face a problem with your current set up and require the event source data you had.

You can use the bulk edit feature when you have multiple event sources that need a specific modification. You can select all the sources and apply the edit option across them at a time and avoid applying the change one by one.

Import Event Sources in Bulk

Warning: When using a spreadsheet program to edit an exported event source CSV file, some data fields like numbers and dates can be re-formatted into the spreadsheet program’s native field types. This can cause issues when re-importing this information, as some data fields may be garbled or formatted incorrectly. This can be avoided by importing the CSV file into the spreadsheet program, and specifying all data fields as text values.

To import multiple event sources at once:

  1. Go to Admin > Services .
  2. Select a Log Collection service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.
  5. Select Check Point, File, Netflow, ODBCPlugins, SDEE(Syslog for Remote Collectors) onlyVMware, Windows, or Windows Legacy (SNMP does not have an Import function.).
  6. In the Sources panel toolbar, click Import Source.

    The Bulk Add Option dialog is displayed.

    Bulk Add Option dialog is displayed.

  7. Select either Import CSV File or Paste CSV Content. If you select:

    • Import CSV File:

      1. Click Next.

        The Import dialog is displayed.

      2. Click Add and select a .csv file from your network.

        Import dialog is displayed.

      3. Click Import.

        The event sources are added to the Event Source list.

    • Paste CSV Content

      1. Copy the contents of the .csv file and paste them into the dialog.

        Bulk Add Option dialog shows .csv option selected.

      2. Click Import.

        The event sources are added to Event Source List.

Export Event Sources in Bulk

Warning: When using a spreadsheet program to edit an exported event source CSV file, some data fields like numbers and dates can be re-formatted into the spreadsheet program’s native field types. This can cause issues when re-importing this information, as some data fields may be garbled or formatted incorrectly. This can be avoided by importing the CSV file into the spreadsheet program, and specifying all data fields as text values.

  1. Go to Admin > Services .
  2. Select a Log Collection service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.
  5. Select Check Point, File, Netflow, ODBCPlugins, SDEE(Syslog for Remote Collectors) onlyVMware, Windows, or Windows Legacy (SNMP does not have an Export function.).
  6. In the Sources panel, select one or multiple event sources and click Export Source.

    The Bulk Export dialog is displayed.

    Bulk Export dialog is displayed.

  7. Based on your selection:

    • All, NetWitness Suite  exports all event sources to a time-stamped CSV file.
    • Selected, NetWitness Suite  exports the event source or sources you selected to a time-stamped CSV file.
    • Cancel, NetWitness Suite cancels the export.

The following is an example of a time-stamped CSV file that gets created with the event sources that you selected from the list.

Example of a time-stamped CSV file.

Edit Event Sources in Bulk

To edit multiple event sources at once:

  1. On the Log Collector Event Sources tab, select Check Point, File, Netflow, ODBCPlugins, SDEE, SyslogVMware, Windows, or Windows Legacy (SNMP does not have an Edit function.).
  2. In the Sources panel, select multiple event sources and click  (edit icon).

    The appropriate Bulk Edit dialog for the selected event source is displayed. The following figure is an example of Bulk Edit Source dialog for File event source parameters.

    Bulk Edit Source dialog shows bulk operation enabled.

  3. Select the checkbox to the left of the fields that you want to modify (for example, Debug).
  4. Modify the selected parameters (for example, change Debug from Off to On).
  5. Click OK.

    NetWitness Suiteapplies the same parameter value change to all of the selected event sources

Test Event Source Connections in Bulk

To test multiple event source connections at once:

  1. Go to Admin > Services.
  2. In the Services grid, select a Log Collector service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Select the Event Sources tab, select Plugins, ODBC, or Windows (the other protocols do not have a bulk test connection function).
  5. Select one or more:

    • sources from the Sources panel for Plugins or ODBC
    • hosts from Hosts panel for Windows

    The Test Connection button is enabled.

    Example shows test connection selected.

  6. Click  .

    The Bulk Test Connections dialog is displayed showing the current status of the test for each source. The status can be waiting, testing, passed or failed.

    If you choose to close the testing before it is completed, the testing stops and the Bulk Test Connections dialog closes.

After the testing is complete, the results are displayed  in the Bulk Test Connections dialog.

See Also

You can use the Event Sources module (Administration > Event Sources) to create groups of event sources, typically imported from a CMDB, and to monitor event sources based on those groups. For details, see the following topics in the Event Source Management Guide:

  • Import Event Sources
  • Export Event Sources
  • Bulk Edit Event Source Attributes
You are here
Table of Contents > Log Collection Basics > Import, Export, Edit and Test Event Sources in Bulk

Attachments

    Outcomes