NetWitness Community

Anonymous · ‎2013-01-07

Hi,

Has anybody been able to build a custom parser for NW 4 Logs that supports Windows Eventing in either native or syslog format.

http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx

I have seen that support is available for a Snare Agent but this is not the most practical solution.

Thanks

Anonymous · ‎2013-01-07

Hi,

That should be included with the parsers that were ported over from enVision?

In class, we manually copied over the enVision content via an explorer view on the log decoder and rebooted. In a real world scenario, Live Manager should be used to extract and deploy the enVision content. Did you check there?

enVision certainly supported the windows eventing in either native or syslog format; so, I'm assuming that this should also be supported in the NextGen architecture.

Cheers,

JAG

Anonymous · ‎2013-01-08

Looking into this further it appears that the parser in on the NW4Logs appliance (winevent_nic) but is not listening on the required port for Windows Eventing.

APpears that the only Windows event logs that support via syslog are SNARE which will require an agent on the endpoints.

Im looking at creating a custom parser with the ESI tool and the document "The keys for loggers" but finding enough information on the errors being produced by the tool to be able to troubleshoot is becoming difficult. It appears that alot of the docuemntain availiable with the ESI tool does not refereence the varaiables and their values that are required to be used.

Anonymous · ‎2013-01-09

It should be a pull not a push like syslog.

In enVision, the windows service was use to pull log data from windows via a scheduled poll of the system.

AD credentials are stored and used to pull the log data at these regular polls.

I imagine that there would be a service running on NextGen to do this.

Cheers,

JAG

Anonymous · ‎2013-01-10

Update

Just racked/stacked the lab with 9.8.5 SA. I was hoping for the all-in-one 10.0 version of SA but that's not GA yet.

Concentrator

Decoder

Informer

Two DACS

Once the system is fully installed, I'll confirm how the windows service will be configured.

Definitely on my list of things to do. I'll let you know.

Regards,

John

Anonymous · ‎2013-01-10

Looks like it is not available in 9.XX.

Anonymous · ‎2013-01-14

I saw this in the administrator help manual. So, it looks like there is a requirement to install the NT Event Log Bridge. Not sure where this gets installed. In enVision this function was included in the base product.

"Install the NT Event Log Bridge

If you are deploying the LOGDECODER as part of your platform and intend to collect log

data originating on Windows devices, you need to install the NT EVENT LOG BRIDGE. A

user with Administrator rights must be logged in to complete this procedure."

As soon as I license the SA components, I'll test this out.

Regards,

John

Anonymous · ‎2013-01-21

Ok. I did some more research and found that release 9.X.X does not support Windows Eventing or any other pull method for log data.

Apparently, this is only supported in the 10.X version via the web front end gui hosted on the Broker appliance.

In addition, the 10.X version of Security Analytics does NOT support the agent-less method supported with Envision 4.X to collect Windows logs, instead only WinRM is supported using http/https.

NetWitness Community

NW4Logs Win Eventing