RSA Netwitness Logs&packets log-hybrid
Hi, I have a question regarding how log hybrid collects logs. Is there any kind of agent on each server? and those agents send logs to the log hybrid? or all servers are connected to an aggregation switch, which is connected to the log hybrid? or maybe neither of these?
Log Hybrid (Physical or Virtual) is a device that has log decoder, log collector & Concentrator service running on a single host.
So the log collection on log-hybrid is similar to the log collection that happens on a Log decoder hosted on a separate device.
Hope it helps.
There are many ways to collect logs in NetWitness. We accept logs via syslog, odbc, files, plugins, and many others. Some require agents to push to us such as SFTPing files or our Endpoint Agent to send us Windows logs. Others we pull from the sources such as WinRM, and ODBC. Still others, such as syslog, are send directly from a source to NetWitness.
You can see how to collect logs from our supported event source types in the guides on this page.
Thank you guys, that was helpful.
About log collector, what does it do? if we have a decoder that ingests raw data and applies parsers, and concentrator indexes data, what is the purpose of log collector? I don't see it mentioned in RSA Netwitness documentations.
Another thing about the system, is SA a host by its self? or a part of another host? what does it exactly do? does it differ from ESA?
Thank you again, I'm new to all of this, so you might want to excuse me