Endpoint: Server Configuration

Document created by RSA Information Design and Development on Mar 19, 2018Last modified by RSA Information Design and Development on Dec 12, 2018
Version 6Show Document
  • View in full screen mode

This topic provides the high-level tasks required to configure the Endpoint Server service.

Worklfow describing the Endpoint Hybrid and Endpoing Log Hybrid configuration process

Install the Endpoint Hybrid or Endpoint Log HybridSee Physical Host Installation Guide and Virtual Host Setup Guide.
Configure Metadata Forwarding for the NetWitness Endpoint 11.1 Agents

Similar to Logs and Packets, you can view Endpoint metadata in the Navigate and Event Analysis view. You can also generate reports and alerts for the Endpoint data. By default, the Endpoint Meta option is disabled. The agent must be installed with the Endpoint Meta option enabled to forward metadata.

Install Agents on Hosts

The Endpoint agent installer is generated using the Packager tab under ADMIN > Services > Config > Endpoint Server from the NetWitness Platform user interface. The Packager is a zip file that contains executables and configuration files for generating agent installer for Linux, Mac, and Windows operating systems. You can install only one version of the agent on a host. If you have a previous version of an agent installed (for example, 4.4), uninstall this agent to install the 11.1 agent.

After the agent is installed, it appears on the Investigate > Hosts view. By default, the Endpoint data is posted for the first time. To collect subsequent Endpoint data, you have to either schedule a scan or perform ad hoc scan. It retrieves data, such as drivers, processes, DLLs, files (executables), services, autoruns, security information, system configurations, and scripts found on the host.

If the agent is configured for Log collection, it collects logs from Windows hosts, and forwards them to a Log Decoder or Remote Log Collector. For more information on Endpoint agent installation, see Endpoint Insights Agent Installation Guide.

Investigate Endpoint data

You can investigate the Endpoint data in the Investigate > Hosts and Investigate > Files views. For more information, see NetWitness Investigate User Guide.

Configure Scan Schedule

Schedule a scan either to run daily or weekly.

Configure Data Retention Policy

Define data retention policies to optimally store and manage the Endpoint data based on the age of the Endpoint data or the storage size.

By default, 30 days of agent data is retained.

Manage Inactive Agents

By default, agents (including all the collected Endpoint data) that have not communicated with the Endpoint Server for 90 days will be automatically deleted.

You are here
Table of Contents > Endpoint Server Configuration