RSA NetWitness for Logs (version 10.6)

Document created by Connor Mccarthy Employee on Feb 1, 2018
Version 1Show Document
  • View in full screen mode





In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us



This classroom-based course focuses on setting up RSA NetWitness Logs collection and reporting in a compliance scenario.



This classroom-based course provides an overview of RSA NetWitness Logs, hands-on configuration of components for log collection, setup of event sources, troubleshooting of log collection, investigation basics and creating reports and alerts using a PCI compliance use case. Additionally, the course covers writing parsers for logs.



  • RSA NetWitness Logs Administrators
  • Compliance Officers
  • Content Developers



4 Days



Prerequisite Knowledge/Skills

Students should be familiar with basic computer architecture, networking fundamentals and general information security concepts. Basic knowledge of the TCP/IP protocol stack is beneficial.


Course Objectives

Upon successful completion of this course, participants should be able to:

  • Describe the RSA NetWitness Logs architecture
  • Identify log deployments
  • Describe the flow of data in RSA NetWitness Logs
  • Configure RSA NetWitness Logs services and components
  • Configure log collection event sources
  • Describe log collection troubleshooting techniques
  • Describe the RSA NetWitness Logs Investigation Module
  • Apply basic analysis techniques using the Investigation Module
  • Use application rules to create alerts for compliance
  • Create compliance reports
  • Deploy rules and reports from Live
  • Create charts
  • Create alerts using the Reporting Engine and ESA
  • View alerts in the Incident Management module
  • Describe how RSA NetWitness Logs parses log data
  • Create a log parser using the ESI tool


Course Outline


  • RSA Netwitness Logs Overview
    • What is RSA Netwitness Logs
    • RSA NetWitness Logs architecture
    • RSA NetWitness Logs Data Flow
    • Log Deployment scenarios
    •  Data sources
    • RSA NetWitness Logs user interface
    • Customizing the interface


  • Configuring RSA NetWitness Logs
    • Administration Module Overview
    • Configuring services
    • Configuring Live
    • Configuring files
    • Configuring Event Stream Analysis (ESA)
    • Configuring Incident Management
    • Configuring the Reporting Engine
    • Configuring the Archiver
    • Configuring the Context Hub
    • Explain the licensing model
    • Configuring Data Privacy


  • Setting Up Data Collection
    • Setting up capture for log data
    • Configuring log collection
    • Setting up collection for:
      • Syslog
      • File Reader
      • Windows
      • ODBC
      • Check Point
      • VMware
      • SDEE
      • SNMP
      • NetFlow
    • Validating data capture
    • Setting up event source monitoring
    • Troubleshooting event source collection
  • Investigation Basics
    • Investigation module navigation options
    • Creating Queries
    • Navigating metadata
    • Investigation Events view
    • The context Hub


  • Creating Compliance Reports
    • Reporting data sources
    • Reporting components
    • Role Bases Access Control
    • Creating Charts
    • Creating compliance reports
    • Deploying compliance reports from Live


  •  Creating Alerts for Compliance
    • Creating alerts for notification
    • Creating ESA rules and alerts
    • Creating an Advanced ESAalert
    • Correlation Use Case Approach
    • ESA best practices and troubleshooting
    • Viewing alerts in Incident Management


  •  Creating Log Parsers
    • The meta framework
    • Introduction to parsers
    • Creating a log parser using ESI
    • Deploy a log parser
    • Debugging log parsers







In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us