Log Collection Basic Procedure for all ProtocolsLog Collection Basic Procedure for all Protocols
The basic procedure is the same for all of the supported Collection Protocols.
To configure collection for an event source:
Set up your Event Source for collection. Each supported event source has a configuration document available in the NetWitness Supported Event Sources space on NetWitness Link
- Navigate to the NetWitness Supported Event Sources space on NetWitness Link.
Find the Instructions for your Event Source.
The Overview page lists all of the currently supported Event Sources, as well as information about the collection method, device class, and supported versions.
- Download the configuration instructions for your event source, and follow them.
- Configure collection onNetWitness. The event source configuration guide contains these instructions. However, this guide also provides these instructions, based on the collection method used by your event source. See Collection Protocols for details.
- Start the Service for your Collection Method. Normally, you only need to do this for the first event source that uses this collection method. For example, the first time you configure an event source that uses File Collection, you may need to start the File Service in NetWitness.
- Verify that Collection is working for your Event Source.
The remainder of this topic discusses steps 2, 3, and 4 in more detail.
Configure Collection in NetWitnessConfigure Collection in NetWitness
The process to configure event sources is dependent upon the collection method they use. Note, however, that they are very similar. The following procedure is generic: more details for individual collection methods are available in topics that cover the details for each specific collection method.
Basic procedure to configure an event source in NetWitness:
- Go to (Admin) > Services from the NetWitness menu.
- Select a Log Collection service.
- Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
Click the Event Sources tab.
- In the Log Collector Event Sources tab, select your collection method from the drop-down menu.
In the Event Categories panel toolbar, click .
The Available Event Source Types dialog box is displayed.
Select an event source type and click OK.
The newly added event source type is displayed in the Event Categories panel.
Select the new type in the Event Categories panel and click in the Sources toolbar.
The Add Source dialog is displayed.
Enter values for the available parameters.
Refer to the Parameters section of the specific collection method that you are configuring.
- Click OK.
Start the Service for your Collection MethodStart the Service for your Collection Method
To start the service for your collection method:
- Go to (Admin) > Services.
- Select a Log Collector and select > View > System.
Click Collection > protocol > Start
where protocol is the protocol that you wish to start, for example Netflow.
Verify that Collection is working for your Event SourceVerify that Collection is working for your Event Source
You can verify that a collection method is working from the (Admin) > Health & Wellness > Event Source Monitoring tab.
To verify that collection is working for an event source:
- Go to (Admin) > Health & Wellness
- Click the Event Source Monitoring tab.
- In the grid, find the Log Decoder, Event Source, and Event Source Type.
- Look for activity in the Count column for an event source to verify that collection is accepting events.