In 11.1, Windows Log collection can be achieved using the RSA® NetWitness® Endpoint Insights Agent. When the agent is enabled for log collection, a log configuration file is included with the Agent Packager to enable collection and forwarding of windows logs in addition to the Endpoint data. The generated configuration file contains information of the channels from which logs are to be collected from and the destination (Log Decoder or a Remote Log Collector) to forward the defined windows events. The generated Agent packager is able to collect both Endpoint and Windows log data from hosts. The Endpoint Agent packager is extracted locally on a Windows machine to create the agent installer file. The installer file is then deployed through a third party software distribution tool to all endpoints in your network.
There are three scenarios for Windows log collection, these are:
- Generate Agent with Log Collection: If the Enable Windows Log Collection option is enabled and you click Generate Agent after filling the details. The generated AgentPackager.zip contains the log collection file. For more information, see the "Generating an Agent Packager with Windows Log Collection" in the Endpoint Insights Agent Installation Guide .
- Generate Agent file only Without Log Collection: If the Enable Windows Log Collection is disabled and you click Generate Agent then only the Zip file gets created without the log collection file. For more information, see the "Generate an Endpoint Agent Packager" in the Endpoint Insights Agent Installation Guide .
- If you click on Generate Log Configuration Only then only the log configuration gets created. This can be used to update the log configuration file in an existing Endpoint agent deployment for log collection or to add the log configuration to an Endpoint agent deployment. For more information, see "Add or Update Windows Log Collection Configuration to an existing Endpoint Agent".
You can add a Windows Log Collection Configuration file to an Endpoint Agent and also modify an existing log collection configuration file. If a change is required in the log collection configuration for endpoint agents, the agents do not require to be installed again. The log configuration file (nwelcfg file) can be generated from the Packager User Interface and modified.
This workflow shows the procedure to add of update a Windows Log Collection Configuration file.
Following are some example reasons that would require a change in the configuration:
- The destination to which the windows are to be forwarded needs to be changed for better load management in the destination side.
- The endpoint is moved to a new group defined by a third party endpoint management system which needs a change in the destination or list of event ids to be forwarded.
- There are requirements to change the list of event ids consumed at the destination side.
A new configuration file can be generated either by entering the new values in the Packager screen or by loading an existing configuration file.
To add or update a Windows log collection configuration file to an existing Endpoint Agent:
In the Packager UI, perform one of the following:
- To add the Windows Log Collection Configuration: Fill the required information mentioned in the "Generating an Agent Packager with Windows Log Collection" in the Endpoint Insights Agent Installation Guide .
- To update the Windows Log Collection Configuration: Click Load Existing Configuration and edit the intended fields mentioned in the "Generating an Agent Packager with Windows Log Collection" in the Endpoint Insights Agent Installation Guide .
- Click Generate Log Configuration Only to generate the nwelcfg file.
- Copy the downloaded nwelcfg file to the Endpoint Agent from where the logs are to be forwarded. The configuration file should be copied to %ProgramData%\NWEAgent folder. To deploy the configuration file to multiple agents, use the third party software distribution tool.
The agent is designed to pick the log configuration file holding the latest timestamp. If there is a time zone difference, please make sure the configuration file is updated to the agent's timestamp after copying. This can be achieved by running the command on the agent: copy /b <filename.nwelcfg> +,,from the folder %programdata%\NWEAgent\ where the nwelcfg file is there.
Verify Windows Log Collection
To verify the windows log collection is successfully deployed on an Endpoint Agent:
- Go to ADMIN > Health & Wellness > Event Source Monitoring.
- In the Time Frame field, select Last 5 minutes or Last 10 Minutes depending on when the Agents were installed.
- Click Apply.
- In the list displayed, the IP address of the Agent should be displayed in the Event Source column with Event Source Type as windows. This confirms the Agent was installed successfully.
To verify a windows log collection has been updated successfully:
- Go to INVESTIGATE > Navigate. Wait for 2-3 minutes until this config file is picked by the Endpoint agent.
- Select the Concentrator from Investigate.
- Change the timeline to last 5 minutes or as applicable.
- Click Load Values.
- Search for message ID meta key.
- There should be an agenttest value. An increase in the number of events signifies that the update is done successfully.
If you want to enable log forwarding feature and configure the log decoder in endpoint hybrid as a destination in the Packager UI. Then you have to add the ports, TCP/UDP 514 in the iptables file on Endpoint Hybrid.
To add the ports:
For TCP, you have to add the "514" port to the existing list of ports in the /etc/sysconfig/iptables file on Endpoint Hybrid:
INPUT -p tcp -m tcp -m multiport --dports 514, 6514,50002,50102,50202,56002,56202 -m comment --comment "nwlogdecoderPorts" -m conntrack --ctstate NEW -j ACCEPT -
For UDP, you have to add the below content in the /etc/sysconfig/iptables file in Endpoint Hybrid:
-A INPUT -p udp -m udp -m multiport --dports 514 -m comment --comment "nwlogcollectorUdpPorts" -m conntrack --ctstate NEW -j ACCEPT
- Restart iptables service for the above new configurations to take effect: service iptables restart.