on Sep 14, 2017Note: For NetWitness Platform 11.4.1, this view has been deprecated. To manage Event Sources, use the 
(Admin) > Event Sources view. For details, see "About Event Source Management" in the RSA NetWitness Platform Event Source Management Guide.
The Event Source Monitoring view consists of the Event Source panel, the Add/Edit Source Monitor dialog, the Decommission panel, and the Decommission dialog. You use the view to configure:
- When to generate notifications for event sources from which the Log Collector is no longer receiving logs.
- Where to send those notifications.
- When to decommission a Log Collector when a Remote Collector and the Local Collector fails over to a standby Log Decoder.
The required role to access this view is Manage NW Auditing. To access this view:
- Go to
(Admin) > Health & Wellness. - Select Settings > Event Source.
What do you want to do?
| Role | I want to ... | Show me how |
|---|---|---|
| Administrator | View the functionality of Event Source Monitoring | Monitor Event Sources |
Related Topics
Configure Event Source Monitoring
Quick Look
The Event Source tab is displayed.
| 1 | Displays Event Source Monitoring Panel |
| 2 | Configure Event Source Monitoring Panel to receive notification |
Event Source Monitoring Panel
| Feature | Description |
|---|---|
| Configure email or distribution list. | Opens the Administration > System > Email view so you can adjust the email distribution for the Event Source Monitoring output. |
| Configure Syslog and SNMP Trap servers. | Opens the Administration > System > Auditing view so you can adjust the Syslog and SNMP trap distribution for the Event Source Monitoring output. |
 | Displays the Add/Edit Source Monitor dialog in which you add or modify event sources to monitor. |
 | Deletes the selected event sources from monitoring. |
 | Selects an event source. |
| Source Type | Displays the source type of the event source. |
| Source Host | Displays the source host of the event source. |
| Time Threshold | Displays the time period after which NetWitness Platform stops sending notifications (Time Threshold). |
| Apply | Applies any additions, deletions, or changes and they become effective immediately. |
| Cancel | Cancels any additions, deletion, or changes. |
Decommission Panel
| Feature | Description |
|---|---|
 | Displays the Decommission dialog in which you add or modify event sources to decommission. |
 | Deletes the selected event sources from decommissioning. |
| | Selects an event source. |
| Regex | Displays options to use regular expressions. |
| Source Type | Displays the source type of the decommissioned event source. |
| Source Host | Displays the source host of the decommissioned event source. |
| Apply | Applies any additions, deletions, or changes, which become effective immediately. |
| Cancel | Cancels any additions, deletions, or changes. |
Add/Edit Source Monitor Dialog
In the Add/Edit Source Monitor dialog, you can add or modify the the event sources that you want to monitor. The two parameters that identify an event source are Source Type and Source Host. You can use globbing (pattern matching and wildcard characters) to specify the Source Type and Source Host of event sources as shown in the following example:
| Source Type | Source Host |
|---|---|
| ciscopix | 1.1.1.1 |
| * | 1.1.1.1 |
| * | * |
| * | 1.1.1.1|1.1.1.2 |
| * | 1.1.1.[1|2] |
| * | 1.1.1.[123] |
| * | 1.1.1.[0-9] |
| * | 1.1.1.11[0-5] |
| * | 1.1.1.1,1.1.1.2 |
| * | 1.1.1.[0-9]|1.1.1.11[0-5] |
| * | 1.1.1.[0-9]|1.1.1.11[0-5],10.31.204.20 |
| * | 1.1.1.* |
| * | 1.1.1.[0-9]{1,3} |
Features
| Feature | Description |
|---|---|
| Regex | Select the checkbox to use regular expressions. |
| Source Type | The source type of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector service > View > Config view. |
| Source Host | Hostname or IP address of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector device > View > Config view. |
| Time Threshold | The time period after which NetWitness Platform starts sending notifications. |
| Cancel | Closes the dialog without adding the event source, or changes to the event source, to the Event Source Monitoring panel. |
| OK | Adds the event source to the Event Source Monitoring panel. |
Decommission Dialog
| Feature | Description |
|---|---|
| Source Type | The source type of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector device > View > Config view. |
| Source Host | Hostname or IP address of the event source. You must use the value that you configured for the event source in the Event Sources tab of the Administration > Services > Log Collector service > View > Config view. |
| Cancel | Closes the dialog without applying any event source additions, deletions, or changes to the Decommissioning panel. |
| OK | Applies any event source additions, deletions, or changes to the Decommissioning panel. |
