Log Collection Basic Procedure for all Protocols

The basic procedure is the same for all of the supported Collection Protocols.

To configure collection for an event source:

  1. Set up your Event Source for collection. Each supported event source has a configuration document available in the RSA Supported Event Sources space on RSA Link

    1. Navigate to the RSA Supported Event Sources space on RSA Link.
    2. Find the Instructions for your Event Source.

      The Overview page lists all of the currently supported Event Sources, as well as information about the collection method, device class, and supported versions.

    3. Download the configuration instructions for your event source, and follow them.
  2. Configure collection on RSA NetWitness Platform. The event source configuration guide contains these instructions. However, this guide also provides these instructions, based on the collection method used by your event source. See Collection Protocols for details.
  3. Start the Service for your Collection Method. Normally, you only need to do this for the first event source that uses this collection method. For example, the first time you configure an event source that uses File Collection, you may need to start the File Service in NetWitness Platform.
  4. Verify that Collection is working for your Event Source.

The remainder of this topic discusses steps 2, 3, and 4 in more detail.

Configure Collection in RSA NetWitness Platform

The process to configure event sources is dependent upon the collection method they use. Note, however, that they are very similar. The following procedure is generic: more details for individual collection methods are available in topics that cover the details for each specific collection method.

Basic procedure to configure an event source in RSA NetWitness Platform:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services from the NetWitness Platform menu.
  2. Select a Log Collection service.
  3. Under Actions, select actions menu > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    Event Sources tab is displayed.

  1. In the Log Collector Event Sources tab, select your collection method from the drop-down menu.
  2. In the Event Categories panel toolbar, click add icon.

    The Available Event Source Types dialog box is displayed.

  3. Select an event source type and click OK.

    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click add icon in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Enter values for the available parameters.

    Refer to the Parameters section of the specific collection method that you are configuring.

  6. Click OK.

Start the Service for your Collection Method

To start the service for your collection method:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collector and select actions menu > View > System.
  3. Click Collection > protocol > Start

    where protocol is the protocol that you wish to start, for example Netflow.

Verify that Collection is working for your Event Source

You can verify that a collection method is working from the netwitness_adminicon_25x22.png (Admin) > Health & Wellness > Event Source Monitoring tab.

To verify that collection is working for an event source:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Health & Wellness
  2. Click the Event Source Monitoring tab.
  3. In the grid, find the Log Decoder, Event Source, and Event Source Type.
  4. Look for activity in the Count column for an event source to verify that collection is accepting events.