NetWitness Community

AdamRasnick1 · ‎2016-05-23

We are manually moving files into SA via a script, and basically need to confirm that we drop those files in the "work" directory thats created after creating the event source in SA....is that right?

LeeKirkpatrick · ‎2016-05-23

Hi Adam,

After you have created the event source in SA, you will need to place them in the "/var/netwitness/logcollector/upload/<eventsource>" directory. SA will then push these files into the 'work' directory as required.

I normally kick off a "tailf /var/log/messages | grep -i <eventsource> --color" command to see that the files are being processed.

Cheers,

Lee

View solution in original post

LeeKirkpatrick · ‎2016-05-23

Hi Adam,

After you have created the event source in SA, you will need to place them in the "/var/netwitness/logcollector/upload/<eventsource>" directory. SA will then push these files into the 'work' directory as required.

I normally kick off a "tailf /var/log/messages | grep -i <eventsource> --color" command to see that the files are being processed.

Cheers,

Lee

AdamRasnick1 · ‎2016-05-23

AH..ok, so we went ahead and placed the files in the 'work' directory and it seemed to work. I guess we just saved the appliance a step...as long as that doesnt hurt anything we can leave the script alone and let it place those files there without any issue. I just wanted to make sure that was being done right.

Thanks!

NetWitness Community

When manually moving Apache log files to SA from a jump box, what directory would the files need to be put in so that SA processes them?