Creating an Event Source and Editing Attributes
You can organize your event sources into groups. You do this by entering values for various attributes for each event source. For example, for all of your high priority event sources, you could set the Priority to 1. You can see details about the available attributes on the Manage Event Source Tab.
The following figure shows an example of the Event Sources panel:
Event source attributes are a combination of auto-populated and user-entered information. When an event source sends log information to NetWitness, it is added to the list of event sources, and some basic information is auto-populated. At any time after that, users can add or edit details for other event source attributes.
Mandatory Attributes
The following identification attributes are handled specially: IP, IPv6, Hostname, Event Source Type, Log Collector, and Log Decoder. If you create an event source manually, you can enter these values. After you save the event source, these values can no longer be changed.
Event sources can also be auto-discovered; any event source that sends messages to the Log Decoder will be added to the list of event sources. If you edit the attributes for an auto-discovered event source, you cannot edit any of these fields.
Note that not all of these fields are mandatory. To uniquely identify an event source, the following information is required:
- IP or IPv6 or Hostname, and
- Event Source Type
Additionally, NetWitness uses a hierarchy for IP, IPv6, and Hostname. The order is as follows:
- IP
- IPv6
- Hostname
If you enter event sources manually, then you need to keep this order in mind, otherwise, you may end up with duplicates when messages are received from the event sources that you manually added.
All other attributes (such as Priority, Country, Company, Vendor, and so on) are optional.
Create an Event Source
- Go to (Admin) > Event Sources.
- Select the Manage tab.
-
In the Event Sources panel, click to open the details screen, which contains all of the event source attributes.
The Manage Event Source Tab is displayed.
- Enter or change the values for any attributes.
- Click Save.
Note: The Discovery Score is listed as Unavailable for manually-added event sources. The score remains as Unavailable until the event source begins sending information to the NetWitness
Update Attributes for an Event Source
- Go to (Admin) > Event Sources.
- Select the Manage tab.
- In the Event Sources panel, select an event source from the list.
-
In the Event Sources panel, click to open the details screen, which contains all of the event source attributes.
The Manage Event Source Tab is displayed.
- Enter or change the values for any attributes, except for certain attributes that cannot be altered after you have entered them.
- Click Save