This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

WEC Centralized Collection

Anonymous
Not applicable

‎2017-01-03 01:33 PM

Has anyone had experience trying to centralize windows collection prior to getting to netwitness?

 

Example would be, very remote site that we don't want to open the firewall very wide so we would like to send the events to a central system and then just open the firewalls to that one system for netwitness to collect the logs off of.  

 

Not really sure how it would work but we are curious if anyone has tried this. 

0 Likes
3 REPLIES 3

DavidWaugh1
Employee
Employee

‎2017-01-03 02:38 PM

Hi

This is exactly a scenario that a remote / virtual log collector would be ideal for.

 

You would then just need to open the firewall ports to allow the remote logcollector to send its traffic to the local log collector. A few others are also needed for management.

 

Sent from my iPhone

0 Likes

Anonymous
Not applicable
In response to DavidWaugh1

‎2017-01-03 02:45 PM

I probably should have added more context.  This is in an MSSP type of environment were we do not really want to have to manage their inventory with our devices.  Which is were allowing them to just send to this central collector and then use WinRM to pick it up from there would be helpful.  We know we can use the VLC but that would be the last option we want to extend just due to the cumbersome nature of having 50+ VLCs and 50+ inventories to manage.  

0 Likes

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-01-03 03:58 PM

I set this up at my previous employer for PCI workstations.  They had DHCP addresses so there was no way we could collect directly, instead we pushed a GPO to force the workstations to forward their events to a centralized collector (Win2k12) then we collected from that single source into NetWitness.

© 2022 RSA Security LLC or its affiliates. All rights reserved.