Log Collection Protocols Basic Procedure

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by Scott Marcus on Oct 12, 2017
Version 8Show Document
  • View in full screen mode
  

The basic procedure is the same for all of the supported Collection Protocols.

  1. Set up your Event Source for collection. Each supported event source has a configuration document available in the RSA Supported Event Sources space on RSA Link

    1. Navigate to the RSA Supported Event Sources space on RSA Link.
    2. Find the Instructions for your Event Source.

      The Overview page lists all of the currently supported Event Sources, as well as information about the collection method, device class, and supported versions.

    3. Download the configuration instructions for your event source, and follow them.
  2. Configure collection on RSA NetWitness Suite. The event source configuration guide contains these instructions. However, this guide also provides these instructions, based on the collection method used by your event source. See Collection Protocols for details.
  3. Start the Service for your Collection Method. Normally, you only need to do this for the first event source that uses this collection method. For example, the first time you configure an event source that uses File Collection, you may need to start the File Service in NetWitness Suite.
  4. Verify that Collection is working for your Event Source.

The remainder of this topic discusses steps 2, 3, and 4 in more detail.

Configure Collection in RSA NetWitness Suite

The process to configure event sources is dependent upon the collection method they use. Note, however, that they are very similar. The following procedure is generic: more details for individual collection methods are available in topics that cover the details for each specific collection method.

  1. Go to ADMIN> Services from the NetWitness Suite menu.
  2. Select a Log Collection service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    Event Sources tab is displayed.

  1. In the Log Collector Event Sources tab, select your collection method from the drop-down menu.
  2. In the Event Categories panel toolbar, click .

    The Available Event Source Types dialog box is displayed.

  3. Select an event source type and click OK.

    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click  in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Enter values for the available parameters.

    Refer to the Parameters section of the specific collection method that you are configuring.

  6. Click OK.

Start the Service for your Collection Method

To start the service for your collection method, do the following:

  1. Go to Admin > Services.
  2. Select a Log Collector and select  > View > System.
  3. Click Collection > protocol> Start

    where protocol is the protocol that you wish to start, for example Netflow.

Verify that Collection is working for your Event Source

You can verify that a collection method is working from the Admin > Health & Wellness > Event Source Monitoring tab.

To verify that collection is working for an event source:

  1. Go to ADMIN > Health & Wellness
  2. Click the Event Source Monitoring tab.
  3. In the grid, find the Log Decoder, Event Source, and Event Source Type.
  4. Look for activity in the Count column for an event source to verify that collection is accepting events.

 

Previous Topic:Log Collection Basics
You are here

Table of Contents > Log Collection Basics > Basic Procedure

Attachments

    Outcomes