Creating Event Source Groups

Administrators must receive notifications when event sources are no longer being collected by NetWitness. They need to be able to configure how long the event sources can be quiet (that is, not collect any log messages) before sending a notification based on different factors.

NetWitness provides event source groups so that you can group similarly important devices together. You can create groups based on attributes that you imported from your CMDB (configuration management database), or by manually choosing event sources to add to the group.

For example, these are some of the types of event source groups that you can create:

  • PCI sources
  • Windows Domain Controllers
  • Quiet sources
  • Finance Servers
  • High Priority devices
  • All Windows sources

Procedure

To create an Event Source group:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Event Sources.
  2. In the Manage panel, click netwitness_add_icon.png .

    The Create an Event Group dialog is displayed.

    netwitness_cresgrp1.png

  3. Enter a Group Name.
  4. Enter a Description.
  5. Click netwitness_add_icon.png to add a condition. Continue adding conditions as necessary. For details on constructing conditions, see Create/Edit Group Form.
  6. Click Save.

    The new group is listed in the Manage panel.

Examples

This section describes a simple example, and then discusses how to set up a more complex set of rules.

Simple Example

If you want to create an event source group that contains all of your high priority event sources, this example describes the necessary steps.

  1. Go to netwitness_adminicon_25x22.png (Admin) > Event Sources.
  2. In the Manage > Groups panel, click netwitness_add_icon.png .
  3. Enter High Priority Devices for the Group Name.
  4. Enter a description, such as, "These devices are our highest priority ones, and must be monitored closely."
  5. Leave All of these selected and click netwitness_add_icon.png to add a condition.
  6. Select Add condition from the drop-down menu.

    1. Select an Attribute: Priority.
    2. Select an Operator: Less than.
    3. Enter a value: 2.

      The following figure displays the updated Edit Event Group dialog.

    4. netwitness_editesgrp.png

  7. Click Save.

Complex Example

In this example, you want to create a fairly complex rule: match event sources that are in the United States, and in either the Sales, Finance, or Marketing departments. Also, match worldwide internal, high priority Sales event sources. High Priority is assumed to be where the priority is 1 or 0. Logically, the definition is as follows:

(Country=United States AND (Dept.=Sales OR Dept.=Finance OR Dept.=Marketing))
OR
(Priority < 2 AND Division != External AND Dept.=Sales)

The following figure is an example of the criteria for creating such an Event Source Group.

netwitness_eseditgrp.png