Generate an Endpoint Agent Packager

To generate an agent packager to collect endpoint data from hosts:

  1. Log in to NetWitness.

    Type https://<NW-Server-IP-Address>/login in your browser to get to the NetWitness Login screen.

  2. Click netwitness_adminicon_25x22.png (Admin) > Services.

  3. Select the Endpoint Server service and click netwitness_action_menu.png > View > Config > Agent Packager tab.
    The Agent Packager tab is displayed.


  4. Enter the values in the following fields:

    Field Description

    Endpoint Server

    Displays all the available Endpoint servers in the deployed.
    Endpoint Server Forwarder (Optional) The optional Endpoint Server Forwarder allows you to enter an alternative Fully Qualified Domain Name (FQDN) or IP address on which the sever can be reached in the case that agents need to go through a NAT or similar in order to reach the Endpoint Server. If specified forwarder is not available, agent will eventually fall back to the packaged address.
    HTTPS Port Port number. For example, 443.

    Server Validation

    Determines how the agent validates the Endpoint Server certificate:

    • None – The agent will not validate the server certificate.
    • Certificate Thumbprint – default selection. The agent identifies the server by validating the thumbprint of the Root CA of the server certificate.
    Certificate Password

    Password used to download the packager. The same password is used while generating the agent installer.

    Note: The password must be minimum seven characters long and a combination of uppercase and lowercase letters, numbers, and special characters. For example, Admin@123.

    Auto Uninstall Date and time the agent automatically uninstalls. You can leave it blank if not required.
    Tag Configuration


    When you click Assign Tags under Tag Configuration, you can do any of the following:

    • Create new tags and assign them to the hosts.

    • Select already existing tags and assign them to the hosts.

      For more information, see Investigate Hosts.

    Force Overwrite

    Overwrites the installed Windows agent regardless of the version. If this option is not selected, the same installer can be run multiple times on a system, but installs the agent only once.

    If you enable this option, make sure that you provide the same service name and driver service name as the previously installed agent, while creating a new agent.

    Note: If you want to force overwrite with MSI, run the following command:
    msiexec /fvam <msifilename.msi>

    After you move an agent from one deployment to another, using Force Overwrite to change the agent incurs an 8-hour delay in communication between the agent and its Endpoint Server on the new deployment. To eliminate the delay, uninstall the agent from the old deployment, and reinstall the agent on the new deployment.

    Agent Configuration

    Note: The following Service and Driver fields are applicable only for Windows.


    Service Name Name of the agent service. For example, NWEAgent.

    Display Name

    Display name of the agent service. For example, NWE Agent.

    Description Description of the agent service. For example, NetWitness Endpoint.



    Driver Service Name

    Name of the driver service. For example, NWEDriver.

    Driver Display Name Display name of the driver service. For example, NWE Driver.
    Driver Description Description of the driver service. For example, NetWitness Endpoint Driver.
    Generate Agent Generates an agent packager.
  5. Click Generate Agent.

    This downloads an agent packager ( on the host where you are accessing the NetWitness user interface.