This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness Endpoint (11.4+): Custom Flat File Collection

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2020-04-22 02:53 PM

In the following video we go through the steps to configure RSA NetWitness Endpoint Agent (Insight mode) to collect a custom flat file from a Windows server. This would allow us to replace the use of the RSA SFTP Agent. Instead of SFTP data over to our SIEM, we will use the Insight Agent to process the flat file and send to our SIEM over Syslog.

Notes from the video

Location of filetypespec on Node0: /var/netwitness/source-server/content/collection/file

Steps

1. Generate & Install 11.4 agent on a Windows machine
2. Create custom typespec file from an existing file: /var/netwitness/source-server/content/collection/file
3. Set <defaults> (for default log location and extension, can be edited later in UI)
4. Run: systemctl restart rsa-nw-source-server
5. In UI, Create "Flat File Logs" policy
6. Update Groups to add the "Flat File Logs" policy
7. Publish
8. Monitor/Validate

9. Setup sample logs for processing

Reference

Labels:
© 2022 RSA Security LLC or its affiliates. All rights reserved.