Windows Collection in RSA NetWitness® Platform
NetWitness Platform provides several ways to collect logs from Microsoft Windows machines. Each method has advantages and disadvantages, as well as different methods of configuration.
Basically, NetWitness Platform provides the following ways to collect Windows logs:
- Windows Remote Management (WinRM): RSA provides a Powershell script, winrmconfig, that you can use to automate much of the configuration process.
- Intersect Alliance Snare Agent: a third-party software tool that can collect audit log data from Windows
- Adiscon EventReporter: third-party software that provides centralized monitoring and reporting for Windows event log records
- NetWitness Endpoint Agent for Windows: you can install Endpoint Agents on each of your Windows machines, which can monitor the behavior of all Windows endpoints in your network.
- Windows Legacy: the legacy collector is used to collect Windows logs from Windows Servers up to 2003.
The following table describes details for each option: use these details to help determine how you choose to collect Windows Logs in your environment.
| NWE Agent | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | Yes | Yes | No | Yes | Host Telemetry Data is also collected |
| WinRM | No | Yes | HTTP/HTTPS | Yes | No | No | Yes | |
| Snare | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | No | Yes | Yes | Yes | Snare was free for a long period. After they began to charge, NXLog stepped in and now integrates very similarly with NetWitness. |
| NXLog | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | No | Yes | No Cost for basic functionality | Yes |
| Event Reporter | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | No | Yes | Yes | Yes | |
| Legacy Collector | Not on Target Machines | Uses Encrypted Transport | WMI/SMB | Yes | No | No | Yes, Limited | |
For the details on how to configure and collect logs using each of these methods, please see the individual guide for that method:
