NetWitness Community

huanzhou1 · ‎2017-04-26

Any support or planned support for NXLOG for windows collection? Lots of customer doesn't want to use Snare.

DavidWaugh1 · ‎2017-04-26

Is using winrm as a collection method an alternative?

I would have thought it was easier to set up as it can be controlled via domain policy and also scripted to be deployed in large environments.

EricPartington · ‎2017-04-26

Or what about the built in windows collection method (using WinRM) Windows Event Collection (WEC/WEF) which works as push or pull and then collect from one central windows server witn WinRM to RSA NW ?

https://community.rsa.com/community/products/netwitness/blog/2017/01/30/logs-collecting-windows-events-with-wec

JoeGumke · ‎2017-04-27

hey eric,

Have you found anything out about RSA leveraging reverse DNS lookups for WEF? If users leveraged a subscription server, how are the endpoints/relay identified?

EricPartington · ‎2017-04-27

event.computer contains the true client

device.ip contains the subscription server ip address

no word on the reverse lookups function

huanzhou1 · ‎2017-05-04

For winrm, how to failover to another VLC automatically? Customer wanted to use nxlog(same as snare) to send as syslog format, so can use load balancer to failover.

OmarGarciaGilio · ‎2018-02-08

For my experience, I prefer syslog to Winrm, u other send methods.

Well you can try whit this nxlog.conf

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_msvistalog
</Input>

<Output out>
Module om_tcp
Host #IP_SIEM#
Port 514
Exec to_syslog_snare(); $raw_event = replace($raw_event, "\t", ',');
</Output>

Also update your win snare parse from Live.

Your language system on windows must be English (EEUU), not work for other language. If you know about win snare parser for spanish version please let me know.

NetWitness Community

NXLOG Windows Collection Support