Duplicate WinRM Report
I am attempting to create a report that will show any duplicated windows winrm collections that we have setup in our environment. I was hoping to just create a simple report that has any device = winevent_nic, and vlc > 2. However, I am unaware of any reporting syntax that is available to do such a thing? Please advise.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I've been asking around about your post. Got this as a response from one our technical leads:
"would do something like
Where device.type= winevent_nic
Not exactly what he was trying but this will give him all windows machines and all collectors calling them. There should only be one collector and it will be easy to see if 2 are collecting the same host "
Hopefully that is helpful.
What do you mean by 'forwarder.ip' in the lookup_and_add statement? Are you referring to the vlc == lc.cid? I attempted several variations of this in our instance, and nothing populated properly.