AnsweredAssumed Answered

NetWitness Administration - Hosts and Events Summary

Question asked by Renato Goncalves on Jan 15, 2019

Im looking for a way to know it a log stopped coming to our decoder/collector from the collector thats in our client.

 

For example if we stopped receiving logs from Apache i need to the alerted right away and not we i go to the investigate tab ( sometimes a few days later ) and see that in the last day the logs stopped. 

 

I found the rule: 

 

NetWitness Administration - Hosts and Events Summary and made some changes:

 

select: device.type, alias.host, event.type, count(event.type), last(event.time)

where: device.type exists && event.type exists

 

but it gives me other data than the time the last log of that device has been received for example:

 

Event.Type: AV/AS UpdatesAudit Failure and Sucess, classic, system, alert.....

 

Thats there anyway i can make this rule to give me just the time of the last log received by our collector or concentrator?

Outcomes