Configure Windows Legacy and NetApp Event Sources

This topic tells you how to configure Windows Legacy event sources in NetWitness.

The Windows Legacy collection protocol collects event data from Windows 2003 or earlier event sources, and from NetApp event sources.

Prerequisites

Before you configure a Windows Legacy event source, make sure that you have:

  1. Installed the NetWitness Windows Legacy Remote Collector on a physical or virtual Windows 2008 64-bit server.
  2. Added this Windows Legacy Remote Collector to NetWitness.

Add a Windows Legacy Event Source

  1. Access the Services view by selecting netwitness_adminicon_25x22.png (Admin) > Services from the NetWitness menu.
  2. In the Services grid, select a Windows Legacy Log Decoder service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.
  5. In the Event Sources tab, select one of the following options from the drop-down menu.

    • Windows Legacy/Windows.
    • Windows Legacy/NetApp.
  6. Configure the alias:

    1. Click netwitness_ic-add.png in the Event Categories panel toolbar.

      The Add Source dialog is displayed.

    2. Specify values for the parameters and click OK.

      netwitness_winleg-winaddsrc.png

      Note: By default, Remote Registry Initialization is selected. For details, see Remote Registry Access below.

      The newly added windows event source type is displayed in the Event Categories panel.

  7. Add the event source:

    1. Select the new alias in the Event Categories panel and click netwitness_ic-add.png in the Source panel toolbar.

      The Add Source dialog is displayed.

    2. Specify values for the event source parameters and click OK.

      netwitness_winleg-winaddsrc2_450x410.png

      For details, see Windows Legacy Configuration Parameters below.

      The newly added Windows event source is displayed in the Event Categories panel.

      netwitness_winleg-winaddsrc3_450x103.png

Remote Registry Access

Windows Legacy Collector performs an initial verification of the event source before collecting data. By default, Windows Legacy Collector uses Windows Management Instrumentation (WMI) method to perform this initial verification. If you enable Remote registry access method, Windows Legacy Collector performs a remote registry query to verify the event source.

Configure Push or Pull between Log Collector and Windows Legacy Collector

You can configure the Windows Legacy Collector to push event data to a Local Collector, or you can configure a Local Collector to pull event data from the Windows Legacy Collector.

To configure a Local Collector or the Windows Legacy Collector:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Local Collector or the Windows Legacy Collection service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Depending on your selection in step 2:

    • If you selected a Local Collector, the Remote Collectors tab is displayed. Select the Windows Legacy Collector from which the Local Collector pulls events in this tab.
    • If you selected a Windows Legacy Collector, the Local Collectors are displayed. Select the Local Collectors to which the Windows Legacy Collector pushes events in this tab.

Windows Legacy Configuration Parameters

The following table describes the basic parameters for a Windows Legacy event source.

Note: Required parameters are marked with an asterisk. All other parameters are optional.

Feature Description
Name* The name of the event source. Valid value is a name in the [_a-zA-Z] [_a-zA-Z0-9]* range. You can use a dash "-" as part of the name.
Event Source Address* IP address of the event source. Valid value is an IPv4 address, IPv6 address, or a hostname including a fully qualified domain name. NetWitness defaults to 127.0.0.1.
Log Collector converts the hostname to lower-case letters to prevent duplicate entries.
Event Log Name

The name of the event log from which to collect event data (for example, System, Application, or Security).
The following are examples of some of these channels:

  • System ‐ applications that run under system service accounts (installed system services), drivers, or a component or application that has events that relate to the health of the system.

  • Application ‐ all user‐level applications. This channel is unsecured and it is open to any application. If an application has extensive information, you should define an application‐specific channel for it.

  • Security ‐ the Windows Audit Log (event log) used exclusively for the Windows Local Security Authority.

Enabled Select this checkbox to collect from this event source. If you do not check this checkbox, the Log Collector does not collect events from this event source.
Event Directory Path

NetApp .evt or.evtx files directory path. This must be the UNC path.

The NetApp generates event data and saves it in.evt or.evtx files in a shareable directory on the NetApp appliance.

  • In each polling cycle, Log Collector browses the configured NetApp shared path for the.evt files that you identified with the Event Directory Path and Event File Prefix parameters. Log Collector :

    • sorts files that match the event-file-prefix.YYMMDDhhmmss.evt format in ascending order.

    • uses the timestamp of the last file processed to determine the files that still need processing. If Log Collector finds a partially processed file, it skips the events already processed.

  • In each polling cycle, Log Collector browses the configured NetApp shared path for the .evtx files that you identified with the Event Directory Path and Event File Prefix parameters. Log Collector :

    • sorts files that match the event-file-prefix.YYMMDDhhmmssms.evtx format in ascending order.

    • uses the timestamp of the last file processed to determine the files that still need processing. If Log Collector finds a partially processed file, it skips the events already processed.

Event File Prefix Prefix of the .evt files (for example, adtlog.) saved in the Event Directory Path.
Cancel Closes the dialog without adding the Windows Legacy event source.
OK Adds the current parameter values as a new event source

The following table describes the advanced parameters for a Windows Legacy event source.

Feature Description
Event Buffer Size

Maximum size of the data the Log Collector pulls from the event source for each request.

Valid value is a number in 0 to 511 Kilobytes range. You specify this value in Kilobytes.

Event Too Large Result Tells Log Collector what to do if an event is too large for the event buffer.
Maximum Event Data

Maximum size of event data to include in the output. Valid value is a number in 0 to 511Kilobytes range. You specify this value in Kilobytes or Megabytes.

  • 1 Kilobyte - 100 Megabytes

  • 0 = do not include event data in the output.

Max Events Per Cycle The maximum number of events per polling cycle (how many events collected per polling cycle).
Polling Interval

Interval (amount of time in seconds) between each poll. The default value is 180.

For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.

Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source. Valid values are:

  • Off = (default) disabled

  • On = enabled

  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. If you change this value, the change takes effect immediately (no restart required). Limit the number of event sources for which you use Verbose debugging to minimize performance impact.