Configure Event Source Monitoring

Note: For NetWitness 11.4.1, this view has been deprecated. To manage Event Sources, use the netwitness_adminicon_25x22.png (Admin) > Event Sources view. For details, see "About Event Source Management" in theNetWitness Event Source Management Guide.

To monitor event sources, you must configure the event sources so that they generate and send out notifications when required. For the related reference topic, see Health and Wellness Settings View - Event Sources.

To configure and enable event monitoring in NetWitness:

  1. Go to ADMIN > Health & Wellness.

  2. Select Settings > Event Source.

    The Event Source tab is displayed.

    netwitness_11.0esm_monitoring_settings_plain.png

  3. Under Event Source Monitoring, click netwitness_add_icon.png.
    The Add/Edit Source Monitor dialog is displayed.
  4. Define the Source Type, Source Host, and Time Threshold for the source of the event source that you want to monitor to detect when NetWitness stops receiving logs from it. If you do not specify a Time Threshold, NetWitness monitors the event source until you set a threshold.

Note: For Source Type and Source Host, you must specify the values that you configured for the event source in the Event Sources tab of the ADMIN > Services > Log Collector service > View > Config view. You add or modify the event sources that you want to monitor. The two parameters that identify an event source are Source Type and Source Host. You can use globbing (pattern matching and wildcard characters) to specify the Source Type and Source Host of event sources

netwitness_add-edit_source_monitor_dialog.png

  1. Click OK.

    The event source is displayed in the panel.

  2. Configure the method of notification by doing one of the following in the Settings tab:

    • Select Configure email or distribution list.

      The Email configuration panel is displayed so that you can specify to whom the notifications are sent.
      netwitness_sys-email-config.png

    • Select Configure Syslog and SNMP Trap servers.

      The Legacy Notifications panel is displayed so that you can configure the Syslog and SNMP Traps to which the notifications are sent.
      netwitness_legacy-notif.png

  1. Click Apply.

    NetWitness begins sending notifications when it stops receiving events from this event source after the time threshold has elapsed.

​​For details on parameters in the Event Source Monitoring settings view, see Event Source Monitoring View.

Decommission Event Source Monitoring

If a Log Collector service (Local Collector or Remote Collector) for which you set up Event Source monitoring becomes inoperable, NetWitness continues to notify that you it is not receiving events from it until you decommission the Collector.

Caution: If you configured a failover Local Collector for a Remote Collector and the Local Collector fails over to a standby Log Decoder, you must decommission the Local Collector to stop the notifications.

To decommission event source monitoring for an event source:

  1. Go to ADMIN> Health & Wellness.
  2. Select Settings > Event Source.
    The Event Source tab is displayed.
  3. Under Decommission, click netwitness_add_icon.png.
    The Decommission dialog displays.
  4. Define the Source Type and the Source Host for the source for which you want to decommission event monitoring notifications.

netwitness_11.0_decommission_dialog.png