RSA NetWitness Endpoint (11.4+): Custom Flat File Collection

Video created by Naushad Kasu Employee on Apr 22, 2020

    In the following video we go through the steps to configure RSA NetWitness Endpoint Agent (Insight mode) to collect a custom flat file from a Windows server. This would allow us to replace the use of the RSA SFTP Agent. Instead of SFTP data over to our SIEM, we will use the Insight Agent to process the flat file and send to our SIEM over Syslog.

     

    Notes from the video

     

    Location of filetypespec on Node0: /var/netwitness/source-server/content/collection/file

     

    Steps

     

    1. Generate & Install 11.4 agent on a Windows machine
    2. Create custom typespec file from an existing file: /var/netwitness/source-server/content/collection/file
    3. Set <defaults> (for default log location and extension, can be edited later in UI)
    4. Run: systemctl restart rsa-nw-source-server
    5. In UI, Create "Flat File Logs" policy
    6. Update Groups to add the "Flat File Logs" policy
    7. Publish
    8. Monitor/Validate

    9. Setup sample logs for processing

     

     

    Reference