This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Online Documentation

Browse the official RSA NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Table of Contents

Product Resources

Windows Legacy Collection Configuration for NetWitness Platform 11.x

RSA NetWitness Platform Legacy Windows collection collects event data from multiple Windows Event Source domains.

It supports collection from:

  • Windows 2003 and earlier event sources
  • NetApp ONTAP host evt files

This document contains the following sections:

Setup Requirements

This section provides the RSA NetWitness Platform Legacy Windows Collector Setup requirements.

Caution: If you are installing or updating to version 11.x, in order to use the Security Analytics Legacy Windows Collector with NetWitness, you need to first install the following windows updates:

 

• KB2919355
• KB2919442
• KB2999226
• KB3173424

 

If these updates are not installed, you will get an error message, and the Legacy Windows Collector will not be installed.

To set up the RSA NetWitness Platform Legacy Windows Collector, you need:

  • Any of the following physical or virtual systems that can reach the Windows 2003 event source domains:

    • Windows 2008 R2 SP1 64-Bit Server,
    • Windows 2012 Server, or
    • Windows 2016 Server, or
    • Windows 2019 Server
  • A minimum of 20% free disk space.  For example, you need at least 20 GB of free space if your system drive is 100 GB in size.

IMPORTANT: Do not install the Legacy Windows Collector on a domain controller.

 

WLC_architecture_551x423.jpg

Update the RSA NetWitness Platform Legacy Windows Collector from 10.6.x to 11.x

This section tells you how to update the RSA NetWitness Platform 10.6.x Legacy Windows Collector to 11.

To update the RSA NetWitness Platform 10.6.x Legacy Windows Collector to 11 on a Windows 64-Bit server:

  1. Depending on your version of NetWitness Platform, navigate to one of the following URLs on RSA Link:

  2. Unzip the downloaded file.
  3. Log on to a Windows 2008, 201, 2016, or 2019 Server.
  4. Copy NWLegacyWindowsCollector-version-number.exe to the Windows Server.

  5. Right click on NWLegacyWindowsCollector-version-number.exe and select Run As Administrator.

    The Preparing to Install…. page of update installation wizard is displayed.

    01_prepareInstall.JPG

    After the update installation program extracts RSA NetWitness Platform Legacy Windows Collector installation files, the Welcome page is displayed.

    02_welcome.JPG

  6. Click Next.

    The License Agreement page is displayed.

    03_license.JPG

  7. Read the License agreement carefully, select the I accept the terms in the license agreement radio button, and click Next.

    Before it starts the update, the wizard asks if you want to continue or cancel the installation of the update.

    04_upgradeTo11.JPG

  8. Click OK to continue installing the update.

  9. Click Install.

    The Installation screens for the Legacy Windows Collector page is displayed.

    05a_installing.JPG

    05b_installing.JPG

    After the update installation completes, the Next button becomes active.

  10. Click Next.

    The Installation Completed page is displayed.

    06_Finished.JPG

  1. (Optional) If you want to review a log of the update installation, select the Show the Windows Installer log checkbox.
  2. Click Finish.
  3. Reboot the machine.

This completes the update of the Legacy Windows Collector to RSA NetWitness Platform 11.x.

Fresh Install 11.x Legacy Windows Collector

This section describes how to install the 11.x Legacy Windows Collector on a Windows 2008, 2012, 2016, or 2019 64-Bit server

To install the RSA NetWitness Platform Legacy Windows Collector on a Windows 2008, 2012, 2016, or 2019 64-Bit server:

  1. Navigate to https://community.rsa.com/docs/DOC-101492 on RSA link. Click RSA NetWitness Logs & Packets 11.x - Legacy Windows Collector to download the ZIP archive.

  2. Unzip the downloaded file.
  3. Copy the NWLegacyWindowsCollector-version-number.exe to the Windows Server.

  4. Right click on the NWLegacyWindowsCollector-version-number.exe and select Run As Administrator.

    The Welcome page of installation wizard is displayed.

    02_welcome.JPG

  5. Click Next.

    The License Agreement page is displayed.

    03_license.JPG

  6. Read the License agreement carefully, select the I accept the terms in the license agreement radio button, and click Next.

    The Ready to Install the Program page is displayed.

    01_prepareInstall.JPG

  7. Click Install.

    The Installation screens for the Legacy Windows Collector page are displayed.

    05a_installing.JPG

    05b_installing.JPG

    The Installation Completed page is displayed.

    06_Finished.JPG

  8. (Optional) If you want to review a log of the installation, select the Show the Windows Installer log checkbox.
  9. Click Finish.
  10. Reboot the machine.

This completes the installation of the 11.x Legacy Windows Collector. Please refer to the Windows Legacy and NetApp Collection Configuration Guide on RSA Link for instructions on how to configure Legacy Windows collection in RSA NetWitness Platform.

Configure the Windows Server

For the NetWitness Platform to communicate with the Windows Server, you need to allow Remote Event Log Management on the Windows Server.

  1. On the Windows Server, in Services, start the Remote Registry Service.

  2. In Firewall, enable Remote Event Log Management for your network, as shown below.

    wlc_registry.png

Change the Windows Legacy Collector IP Address

Note: The procedures in this section apply to NetWitness Platform 11.5 and later only.

On occasion, you may need to change the IP address of your Windows Legacy Collector. You may also need to edit any Destination Groups that you have configured.

Change WLC IP Address

The following procedure describes how to change the IP address for your system.

  1. Log onto the Windows Legacy Collector system and manually change the IP address on the system.
  2. In the UI, confirm that the Log Collector service corresponding to the WLC system shows up in error (Red). It might take some time for it to reflect the changed status.

  3. On the NetWitness Server, use the nw-manage utility to view the host information for the WLC using the following command:

    nw-manage --list-hosts

    Sample output from running the command is shown here:

    {
    "id" : "fdb8150c-e040-459e-8cc5-3c60ec2c65ae",
    "displayName" : "WLC-HOST-104",
    "hostname" : "10.101.216.102",
    "ipv4" : "10.101.216.102",
    "ipv4Public" : null
    } ]

    You use the value of "id" from your output in the following step.

  4. Use the nw-manage utility to change the IP address of the WLC. For the host-id argument, use the value for the "id" that you noted from step 3. For the ipv4 value, use the new IP Address to which you are changing.

    nw-manage --update-host --host-id "fdb8150c-e040-459e-8cc5-3c60ec2c65ae" --ipv4 10.101.216.105

  5. After you see the message that the previous command ran successfully, go to the NetWitness Server UI and verify that the WLC service is running without any errors.

Edit Destination Groups For Log Collectors and VLCs

The Windows Legacy Collector is often configured with Destination Groups to forward events to Log Collectors or Virtual Log Collectors. If the IP address of any such Destination LC or VLC is changed, the Windows Legacy Collector can no longer forward events. To remediate this, you must edit the Destination groups for the WLC, making sure to select the new LC or VLC IP Address.

Troubleshoot a Fresh or Upgrade Install

Logs to Examine for Information

Refer to the following log files if you need to troubleshoot problems:

  • %systemDrive%\Netwitness\ng\logcollector\MessageBroker.log
  • %systemDrive%\Program Files\NwLogCollector\installlog.txt

Run C:\Program Files\NwLogCollector\ziplogfiles.vbs to generate the hostname_WLCversion_timestamp.zip that contains all the log files and other information needed for troubleshooting.

Issues with the Lockbox

When you create a lockbox password on a new Windows Legacy Collector, you might see the following error:

failed to set secure storage password: failed to create lockbox: The Lockbox or cryptography library could not be found.

This can occur if you are running Windows Legacy Collector version 11.x.

If you encounter this issue, download and install both of the following redistributable packages:

(Optional) Backup and Restore Legacy Windows Collector

This section tells you how to upgrade from 10.6.4 to NetWitness 11.x for the Legacy Windows Collector.

Note: You only need to do this if you are changing the Windows VM where you run the Windows Legacy Collector.

During upgrade to RSA NetWitness Platform 11.x, the backup script for the Windows Legacy Collector is invoked automatically, and creates the 10.6.4 configuration and run-time backups. After the 11.x installation is completed, run the Restore script to restore the configuration and run-time files for the updated Windows Legacy Collection.

Restore the Windows Legacy Collection Backup after Upgrade

To restore the Windows Legacy Collection setup on a newly upgraded RSA NetWitness Platform 11 platform:

  1. On the Windows Legacy Collector, open a command prompt window.
  2. Navigate to C:\Program Files\NwLogCollector, where the scripts are stored.

  3. Run the following commands for restoring a backup:

    • Backup configuration files: WLC-Restore.bat “Config-bkup_timestamp.zip”
    • Backup run-time files: WLC-Restore.bat “Runtime-bkup_timestamp.zip”

  4. Once the restore is completed, set the lockbox SSV to use the password that you created during 10.6.4 setup.

    1. In the Security Analytics menu, select Services, then select your Windows Legacy Collector and choose Explore.
    2. From the left navigation pane, expand logcollection > properties > crypto.
    3. Run the following command: op=setssv pw=password_for_10.6.x_lockbox, and hit Send.

Revert Windows Legacy Collection from 11.x Back to 10.6.4

To revert the Windows Legacy Collection setup from 11.x back to 10.6.4:

  1. Uninstall the 11.x Setup. Note the location of the backup folder created by the system during the uninstall procedure.
  2. Install the 10.6.4 version of the Windows Legacy Collector.
  3. Navigate to C:\Program Files\NwLogCollector, where the scripts are stored.

  4. Run the Restore script from backup folder present in C:\Program Files\NwLogCollector to restore the configuration and run-time setup on the 10.6.4 Windows Legacy Collector.

    • Backup configuration files: WLC-Restore.bat “Config-bkup_timestamp.zip”
    • Backup run-time files: WLC-Restore.bat “Runtime-bkup_timestamp.zip”

  5. Once the restore is completed, set the lockbox SSV to use the password that you created during 10.6.4 setup.

    1. In the Security Analytics menu, select Services, then select your Windows Legacy Collector and choose Explore.
    2. From the left navigation pane, expand logcollection > properties > crypto.
    3. Run the following command: op=setssv pw=password_for_10.6.x_lockbox, and hit Send.

Add a Windows Legacy Collector Host and Service in RSA NetWitness Platform

For this version of the Windows Legacy Collector, RSA has provided a script that replaces the manual steps of adding a Windows Legacy Collector host and service in the NetWitness UI.

To create a Windows Legacy Collector Host and Service in NetWitness:

  1. SSH to your NetWitness server.

  2. Run the following command:

    wlc-cli-client --host-display-name hostDisplayName --service-display-name serviceDisplayName --host WLChostIPAddress --port 50101 --use-ssl false

    The parameters are explained below:

    • --host-display-name: the name for the host as it is displayed in the NetWitness Hosts page
    • --service-display-name: the name for the host as it is displayed in the NetWitness Services page
    • --host: the IP address for the Windows Legacy Collector
    • --port: the port NetWitness uses to communicate with the Windows Legacy Collector. The recommended value is 50101.

  3. You will be prompted to supply the following information:

    • Windows Log Collector REST Username and Windows Log Collector REST Password: you must supply admin credentials for the Windows Legacy Collector.
    • Security Server Username and Security Server Password: you must supply admin credentials for RSA NetWitness Platform.

Note: If the Security Server Password contains any special character, you must use backslash (\) before the special character. For example, if the password is netwitness@123, enter the password as netwitness\@123.

After you complete this procedure, you should see the Windows Legacy Collector Host and Service as shown in the following screenshots.

WLC_addedHost.png

WLC_addedService.png

docFeedback.png

You are here

Windows Legacy Collection

Labels (2)
0 Likes
Was this article helpful? Yes No
No ratings

On this page

© 2021 RSA Security LLC or its affiliates.
All rights reserved.