Copy the NWLegacyWindowsCollector-version-number.exe to the Windows Server.
Right click on the NWLegacyWindowsCollector-version-number.exe and select Run As Administrator.
The Welcome page of installation wizard is displayed.
The License Agreement page is displayed.
Read the License agreement carefully, select the I accept the terms in the license agreement radio button, and click Next.
The Ready to Install the Program page is displayed.
The Installation screens for the Legacy Windows Collector page are displayed.
The Installation Completed page is displayed.
(Optional) If you want to review a log of the installation, select the Show the Windows Installer log checkbox.
Reboot the machine.
This completes the installation of the 11.x Legacy Windows Collector. Please refer to the Windows Legacy and NetApp Collection Configuration Guide on RSA Link for instructions on how to configure Legacy Windows collection in RSA NetWitness Platform.
Configure the Windows Server
For the NetWitness Platform to communicate with the Windows Server, you need to allow Remote Event Log Management on the Windows Server.
On the Windows Server, in Services, start the Remote Registry Service.
In Firewall, enable Remote Event Log Management for your network, as shown below.
Change the Windows Legacy Collector IP Address
Note: The procedures in this section apply to NetWitness Platform 11.5 and later only.
On occasion, you may need to change the IP address of your Windows Legacy Collector. You may also need to edit any Destination Groups that you have configured.
Change WLC IP Address
The following procedure describes how to change the IP address for your system.
Log onto the Windows Legacy Collector system and manually change the IP address on the system.
In the UI, confirm that the Log Collector service corresponding to the WLC system shows up in error (Red). It might take some time for it to reflect the changed status.
On the NetWitness Server, use the nw-manage utility to view the host information for the WLC using the following command:
Sample output from running the command is shown here:
You use the value of "id" from your output in the following step.
Use the nw-manage utility to change the IP address of the WLC. For the host-id argument, use the value for the "id" that you noted from step 3. For the ipv4 value, use the new IP Address to which you are changing.
After you see the message that the previous command ran successfully, go to the NetWitness Server UI and verify that the WLC service is running without any errors.
Edit Destination Groups For Log Collectors and VLCs
The Windows Legacy Collector is often configured with Destination Groups to forward events to Log Collectors or Virtual Log Collectors. If the IP address of any such Destination LC or VLC is changed, the Windows Legacy Collector can no longer forward events. To remediate this, you must edit the Destination groups for the WLC, making sure to select the new LC or VLC IP Address.
Troubleshoot a Fresh or Upgrade Install
Logs to Examine for Information
Refer to the following log files if you need to troubleshoot problems:
(Optional) Backup and Restore Legacy Windows Collector
This section tells you how to upgrade from 10.6.4 to NetWitness 11.x for the Legacy Windows Collector.
Note: You only need to do this if you are changing the Windows VM where you run the Windows Legacy Collector.
During upgrade to RSA NetWitness Platform 11.x, the backup script for the Windows Legacy Collector is invoked automatically, and creates the 10.6.4 configuration and run-time backups. After the 11.x installation is completed, run the Restore script to restore the configuration and run-time files for the updated Windows Legacy Collection.
Restore the Windows Legacy Collection Backup after Upgrade
To restore the Windows Legacy Collection setup on a newly upgraded RSA NetWitness Platform 11 platform:
On the Windows Legacy Collector, open a command prompt window.
Navigate to C:\Program Files\NwLogCollector, where the scripts are stored.
Run the following commands for restoring a backup:
--host-display-name: the name for the host as it is displayed in the NetWitness Hosts page
--service-display-name: the name for the host as it is displayed in the NetWitness Services page
--host: the IP address for the Windows Legacy Collector
--port: the port NetWitness uses to communicate with the Windows Legacy Collector. The recommended value is 50101.
You will be prompted to supply the following information:
Windows Log Collector REST Username and Windows Log Collector REST Password: you must supply admin credentials for the Windows Legacy Collector.
Security Server Username and Security Server Password: you must supply admin credentials for RSA NetWitness Platform.
Note: If the Security Server Password contains any special character, you must use backslash (\) before the special character. For example, if the password is netwitness@123, enter the password as netwitness\@123.
After you complete this procedure, you should see the Windows Legacy Collector Host and Service as shown in the following screenshots.