Im looking for a way to know it a log stopped coming to our decoder/collector from the collector thats in our client.
For example if we stopped receiving logs from Apache i need to the alerted right away and not we i go to the investigate tab ( sometimes a few days later ) and see that in the last day the logs stopped.
I found the rule:
NetWitness Administration - Hosts and Events Summary and made some changes:
select: device.type, alias.host, event.type, count(event.type), last(event.time)
where: device.type exists && event.type exists
but it gives me other data than the time the last log of that device has been received for example:
Event.Type: AV/AS Updates, Audit Failure and Sucess, classic, system, alert.....
Thats there anyway i can make this rule to give me just the time of the last log received by our collector or concentrator?
