This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Endpoint agents log collection to a VLC

Anonymous
Not applicable

‎2020-07-18 03:07 AM

We have a number of endpoints that exist in DMZ environments that are serviced by a VLC for log collection from syslog devices.

The hosts in the DMZ can only talk to the VLC and cannot talk back to any other NetWitness component, the VLC exists in a security zone that does have communication back to the core NetWitness components.

Is there, or will there be the capability to have Endpoint agents check in and send logs to VLCs? I know there is the Endpoint Relay Server but my understanding is that only gives endpoint data, it doesn't do log shipping?

Labels:
0 Likes
5 REPLIES 5

AaronMartin2
Employee
Employee

‎2020-07-20 07:15 AM

The Endpoint relay only does Endpoint data, however, in the agent policy you can define where the logs are sent. If you are using a connection oriented protocol, you could configure failover as well. The environment I logged into to get this screenshot only has one collector so I am unable to illustrate that as well.

pastedImage_1.png

Anonymous
Not applicable
In response to AaronMartin2

‎2020-07-20 07:20 AM

Thanks for the reply Aaron,

So thinking about it, I could have a Relay server in the same location as the VLC that sits in the DMZ and configure the agents to forward the logs by policy to the VLC.

0 Likes

AaronMartin2
Employee
Employee
In response to Anonymous

‎2020-07-20 07:51 AM

Correct.

0 Likes

Anonymous
Not applicable

‎2020-07-20 07:59 AM

Could the relay server be front ended by a reverse proxy that the endpoints talk to? I'm thinking about the layers within my network and how to get things talking to one another?

0 Likes

AaronMartin2
Employee
Employee
In response to Anonymous

‎2020-07-20 08:06 AM

I'm not 100% sure on this but I believe you may have a problem with certificate verification as a result if the proxy is going to present a different certificate. You may notice your agents not report in because we don't trust it.

 

May want to open a support case to see if someone else knows.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.