Basic Implementation

This topic tells how to perform the initial setup of Local Collectors and Remote Collectors.


Verify that the Log Decoder is set up and:

  • is capturing data.
  • has the current content loaded.
  • is properly licensed.

Roles of Local and Remote Collectors

A Local Collector (LC) is a Log Collector service running on a Log Decoder host. In a local deployment scenario, the Log Collector service is deployed on a Log Decoder host, with the Log Decoder service. Log collection from various protocols like Windows, ODBC, and so on, is performed through the Log Collector service, and events are forwarded to the Log Decoder service. The Local Collector sends all collected event data to the Log Decoder service.

You must have at least one Local Collector to collect non-Syslog events.

A Remote Collector (RC), also referred to as a Virtual Log Collector (VLC), is a Log Collector service running on a stand-alone Virtual Machine. Remote Collectors are optional and they must send the events they collect to a Local Collector. Remote Collector deployment is ideal when you have to collect logs from remote locations. Remote Collectors compress and encrypt the logs before sending them to a Local Collector.

Deploying and Configuring Log Collection

The following diagram illustrates the basic tasks you must complete to deploy and configure Log Collection. To deploy Log Collection, you need to set up a Local Collector. You can also deploy one or more Remote Collectors. After you deploy Log Collection, you need to configure the events sources in NetWitness and on the events sources themselves. The following diagram shows the Local Collector with one Remote Collector that pushes events to the Local Collector.


netwitness_01number.png Set up Local and Remote Collectors.

The Local Collector is the Log Collector service running on the Log Decoder host.

A Remote Collector is the Log Collector service running on a virtual machine or Windows server in a remote location.


netwitness_02number.png Configure event sources:

  • Configure collection protocols
  • Configure each event source to communicate with the NetWitness Log Collector.

For details on these procedures, see Configure Collection Protocols and Event Sources.

Adding Local Collector and Remote Collector to NetWitness

To add a Local Collector and Remote Collector to NetWitness:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Click netwitness_add_icon.png and select Log Collector from the menu.

    The Add Service dialog box is displayed.

  3. Define the details of the Log Collection service.
  4. Select Test Connection to ensure that your Local or Remote Collector is added.

Configuring Log Collection

You choose the Log Collector—that is a Local Collector (LC) or Remote Collector (RC)—for which you want to define parameters in the Services view. The following figure shows how to navigate to the Services view, select a Log Collector service, and display the configuration parameter interface for that service.

To configure log collection:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collection service.

  3. Click netwitness_ic-actns.png View > Config to display the Log Collection configuration parameter tabs.
  4. Define global Log Collection parameters in the General tab.
  5. The UI presents tabs, depending on whether the current service is Local or Remote.

    • For a Local Collector, NetWitness displays the Remote Collectors tab. Select the Remote Collectors from which the Local Collector pulls events in this tab.
    • For a Remote Collector, NetWitness displays the Local Collectors. Select the Local Collectors to which the Remote Collector pushes events in this tab.
  6. Edit configuration files as text files in the Files tab.
  7. Define collection protocol parameters in the Event Sources tab.
  8. Define the lockbox, encryption keys, and certificates in the Settings tab.
  9. Define Appliance Service parameters in the Appliance Service Configuration tab.

Data Flow Diagram

You use the log data collected by the Log Collector service to monitor the health of your enterprise and to conduct investigations. The following figure shows you how data flows through NetWitness Log Collection to Investigation.