Configure Windows Event Sources in NetWitness

This topic tells you how to configure the Windows collection protocol.

In NetWitness, you need to configure the Kerberos Realm, and then add the Windows Event Source type.

To configure the Kerberos Realm for Windows collection:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collection service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    12.1_chooseCollectionMethod_1122.png

  5. Select Windows/Kerberos Realm from the drop-down menu.
  6. In the Kerberos Realm Configuration panel toolbar, click netwitness_ic-add.png to add a new realm.

    The Add Kerberos Domain dialog is displayed.

  7. Fill in the parameters, using the guidelines below.

    Parameter Details

    Kerberos Realm Name

    Enter the realm name, in all caps. For example, DSNETWORKING.COM. Note that the Mappings parameter is automatically filled with variations on the realm name.

    KDC Host Name

    Enter the name of the Domain Controller. Do not use a fully qualified name here: just the host name for the DC.

    Note: Make sure that the log collector is configured as a DNS client for the corporate DNS server. Otherwise, the Log Collector will not know how to find the Kerberos Realm.

    Admin Server

    (Optional) The name of the Kerberos Administration Server in FQDN format.

    Mappings

    This parameter is automatically filled after you enter the realm name.

  8. Click Save to add the Kerberos domain.

To add a Windows Event Source:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collection service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  1. In the Log Collector Event Sources tab, select Windows/Config from the drop-down menu.

    The Event Categories panel displays the VMware event sources that are configured, if any.

Next, continue from the current screen to add a Windows Event Category and type.

To configure the Windows Event Type:

  1. Select Windows/Config from the drop-down menu.

  2. In the Event Categories panel toolbar, click netwitness_ic-add.png to add a source.

    The Add Source dialog is displayed.

  3. Fill in the parameters, using the guidelines below.

    Parameter Details

    Alias

    The windows domain, referred to as Alias, is the configuration parameter that the Log Collector uses to group event sources. These event source type groups (for example, domain2, domain3, and domain4) categorize the event sources you have configured.

    Authorization Method

    The authentication method. Valid values are:

    • Basic (default)

    • Negotiate - Negotiates authentication between Kerberos and NTLM (Microsoft Windows NT LAN Manager). For security reasons, NetWitness supports Kerberos exclusively. Select this method.

    Channel

    For most event sources that use Windows collection, you want to collect from the Security, System, and Application channels.

    This is a comma-separated list of channels from which NetWitness collects events. The default value for this parameter is:

    System, Application, Security

    You can use parentheses to include and exclude event IDs. The exclude filter must have a ^ between the channel name and the event ID. You must separate event IDs with a |.

    For example, Application^(211|300), System(1010|1012) excludes the 211 and 300 Application events and includes the 1010 and 1012 System events.

    A channel is a named stream of events that transports them from an event publisher to an event log file. There are many predefined Windows channels. The following are examples of some of these channels:

    • System ‐ applications that run under system service accounts (installed system services), drivers, or a component or application that has events that relate to the health of the system.

    • Application ‐ all user‐level applications. This channel is unsecured and it is open to any application. If an application has extensive information, you should define an application‐specific channel for it.

    • Security ‐ the Windows Audit Log (event log) used exclusively for the Windows Local Security Authority.

    User Name

    Enter the account name for the Windows user account that you set up earlier for communicating with NetWitness. Note that you need to enter the full account name, which includes the domain. For example, rsalog@DSNETWORKING.COM.

    Note: For negotiate authentication, this must be the Kerberos principal name in the name@kerberos_domain format. For example, logcollector@LAB30.LOCAL.

    Password

    Enter the correct password for the user account for the event source. The password is encrypted internally and is displayed in its encrypted form.

    Read All Events

    Select this box to read all historical event data from a channel.

    • Unchecked (default) ‐ Log Collector does not collect from all historical event data for a specified channel.

    • Checked ‐ Log Collector collects from all historical event data from a specified channel.

    Max Events Per Cycle

    (Optional). NetWitness recommends that you set this value to 0, which collects everything.

    Polling Interval

    (Optional). For most users, a value of 60 should work well.

    Render Events

    Select this box to request rendered events from the event source.

    • Checked (default) ‐ Log Collector requests rendered events from the event source.

    • Unchecked ‐ Log Collector does not request rendered events from the event source.

  4. Click OK to add the source.

    The newly added Windows event source is displayed in the Event Categories panel.

  5. Select the new event source in the Event Categories panel.

    The Hosts panel is activated.

  6. Click netwitness_ic-add.png in the Hosts panel toolbar.
  7. Fill in the parameters, using the guidelines below.

    Parameter Details

    Event Source Address

    Enter the IP address or host name for the Windows host.

    Note: From 12.4 Onwards, NetWitness is depreciating the use of IP address for basic authentication. If you are configuring basic authentication, you should use a FQDN or host name and add the same entry in the '/etc/hosts'.

    Port

    Accept the default value, 5985.

    Transport Mode

    Enter http.

    Enabled

    Ensure the box is checked.

  8. Click Test Connection.

    Note: You should be able to successfully test the connection, even if the Windows service is not running.

For more information on any of the previous steps, see the following Help topics in the NetWitness User Guide: