Log Collection Basic Procedure for all Protocols

The basic procedure is the same for all of the supported Collection Protocols.

To configure collection for an event source:

  1. Set up your Event Source for collection. Each supported event source has a configuration document available in the NetWitness Supported Event Sources space on NetWitness Link

    1. Navigate to the NetWitness Supported Event Sources space on NetWitness Link.
    2. Find the Instructions for your Event Source.

      The Overview page lists all of the currently supported Event Sources, as well as information about the collection method, device class, and supported versions.

    3. Download the configuration instructions for your event source, and follow them.
  2. Configure collection onNetWitness. The event source configuration guide contains these instructions. However, this guide also provides these instructions, based on the collection method used by your event source. See Collection Protocols for details.
  3. Start the Service for your Collection Method. Normally, you only need to do this for the first event source that uses this collection method. For example, the first time you configure an event source that uses File Collection, you may need to start the File Service in NetWitness.
  4. Verify that Collection is working for your Event Source.

The remainder of this topic discusses steps 2, 3, and 4 in more detail.

Configure Collection in NetWitness

The process to configure event sources is dependent upon the collection method they use. Note, however, that they are very similar. The following procedure is generic: more details for individual collection methods are available in topics that cover the details for each specific collection method.

Basic procedure to configure an event source in NetWitness:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services from the NetWitness menu.
  2. Select a Log Collection service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    netwitness_12.1_choosecollectionmethod_1122.png

  1. In the Log Collector Event Sources tab, select your collection method from the drop-down menu.
  2. In the Event Categories panel toolbar, click netwitness_add.png.

    The Available Event Source Types dialog box is displayed.

  3. Select an event source type and click OK.

    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click netwitness_add.png in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Enter values for the available parameters.

    Refer to the Parameters section of the specific collection method that you are configuring.

  6. Click OK.

Start the Service for your Collection Method

To start the service for your collection method:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collector and select netwitness_ic-actns.png > View > System.
  3. Click Collection > protocol > Start

    where protocol is the protocol that you wish to start, for example Netflow.

Verify that Collection is working for your Event Source

You can verify that a collection method is working from the netwitness_adminicon_25x22.png (Admin) > Health & Wellness > Event Source Monitoring tab.

To verify that collection is working for an event source:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Health & Wellness
  2. Click the Event Source Monitoring tab.
  3. In the grid, find the Log Decoder, Event Source, and Event Source Type.
  4. Look for activity in the Count column for an event source to verify that collection is accepting events.