AnsweredAssumed Answered

NetWitness Administration - Hosts and Events Summary

Question asked by Renato Goncalves on Jan 15, 2019

Im looking for a way to know it a log stopped coming to our decoder/collector from the collector thats in our client.


For example if we stopped receiving logs from Apache i need to the alerted right away and not we i go to the investigate tab ( sometimes a few days later ) and see that in the last day the logs stopped. 


I found the rule: 


NetWitness Administration - Hosts and Events Summary and made some changes:


select: device.type,, event.type, count(event.type), last(event.time)

where: device.type exists && event.type exists


but it gives me other data than the time the last log of that device has been received for example:


Event.Type: AV/AS UpdatesAudit Failure and Sucess, classic, system, alert.....


Thats there anyway i can make this rule to give me just the time of the last log received by our collector or concentrator?