About Log Collection

This guide describes the high-level steps and subtasks for setting up and configuring log collection for event sources that include:

  • What Log Collection does, how it works from a high level, and provides high-level deployment diagrams.

  • How to start collecting events.
  • Where to find instructions to set up more complex deployments.
  • How to start any collection protocol.
  • Which tools to use to troubleshoot Log Collection issues and lists global troubleshooting instructions.
  • How to fine tune and customize Log Collection in your environment.
  • How to configure individual collection protocols. Instructions are in the individual Log Collection sections.


    This workflow depicts the basic tasks needed to start collecting events through Log Collectors.

    This workflow depicts the basic tasks needed to start collecting events through Log Collection.

High-Level Procedures

At a high level, these are the procedures you must follow for log collection:

  1. Add local and remote collectors to RSA NetWitness Platform.

    Set up a Log Collector locally on a Log Decoder (that is a Local Collector). You can also set up Log Collectors in as many remote locations (that is Remote Collectors) as you need for your enterprise. For details, see Basic Implementation.

  2. Download the latest content from RSA Live. You must perform this task periodically, as the content provided on RSA Live is updated regularly.

    Log Collection content is marked as one of the following resource types:

    • RSA Log Collector - content enabling the collection of event source types.
    • RSA Log Device - the latest supported event source parsers.

    You can also subscribe to content on Live. For details, see the Live Services Management Guide.

  3. Configure Settings: set up the lockbox and Certificates.

    For details, see Set Up a Lockbox and Configure Certificates.

  4. Configure Event Sources.

    You configure all the event sources on your network to send their log information to RSA NetWitness Platform. Whenever you add new event sources, you need to perform this procedure as well. All event source configuration guides are found in the RSA Supported Event Sources space in RSA Link.

  5. Start and stop services for configured protocols. Occasionally, you may be required to stop and restart services, based on new event sources that you add to RSA NetWitness Platform.
  6. Verify that Log Collection is working.

    Whenever you set up a new event source or add a new collection protocol, you should verify that the correct logs are being sent to RSA NetWitness Platform.