Still got Windows Legacy collectors kicking around collecting logs ?
Moving gradually to less systems being collected from that service and moving to WinRM and other windows log collections ?
How do you remove entries in bulk from the windows legacy collector ?
- Once you are logged into RSA NW locate the Windows Legacy collector > Config > Event Sources > <DomainToRemoveFrom>
- Select the "all" checkbox to capture all hosts and click Export Source so you have a backup of the configuration before continuing.
- Determine the list of the Hosts to remove from the configuration on that WLC and that Domain.
- There are a number of ways to perform bulk operations from the command line but today let's use the curl method.
- The basic method of using Curl (to test) is to modify the following line to suit your environment to test the login method and port connectivity
- curl -v -k -u <USERNAME>:<PASSWORD> "http://<WLCSERVERIP/WLCDOMAINNAME>:50101/logcollection/windowslegacy/eventsources/windows/<DOMAIN>?msg=ls&force-content-type=text/plain&expiry=600"
- This will print the output of the hosts for the DOMAIN entry on that WLC to verify that you have the right username/permissions and domain to perform the delete later on
- If that tests out good now you can create a shell script with one entry for each host you want to delete from the domain and WLC.
- curl -v -k -u <USERNAME>:<PASSWORD>"http://<WLCSERVERIP/WLCDOMAINNAME>:50101/logcollection/windowslegacy/eventsources/windows/<DOMAIN>?msg=delete&force-content-type=text/plain&expiry=600&name=<EVENTSOURCENAMETODELETE>
- You can use excel to create a template for the delete structure and concat columns togther to create the output (one per line).
- Save the output as a .sh (shell script)
- Move to a linux box / SA/ NW appliance to run
- Make executable and run
- Output will be 200 Ok for successful deletion (< HTTP/1.1 200 OK)
