Import, Export, Edit, and Test Event Sources in Bulk

This topic describes how to import, export, edit, and test event sources in bulk.

You can use the bulk export option to export the event source details of your current set up and store it. This data can be imported in bulk when you face a problem with your current set up and require the event source data you had.

You can use the bulk edit feature when you have multiple event sources that need a specific modification. You can select all the sources and apply the edit option across them at a time and avoid applying the change one by one.

Import Event Sources in Bulk

Warning: When using a spreadsheet program to edit an exported event source CSV file, some data fields like numbers and dates can be re-formatted into the spreadsheet program’s native field types. This can cause issues when re-importing this information, as some data fields may be garbled or formatted incorrectly. This can be avoided by importing the CSV file into the spreadsheet program, and specifying all data fields as text values.

To import multiple event sources at once:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collection service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.
  5. Select Check Point, File, Netflow, Logstash, ODBC, Plugins, SDEE, (Syslog for Remote Collectors) only, VMware, Windows, or Windows Legacy (SNMP does not have an Import function.).
  6. In the Sources panel toolbar, click Import Source.

    The Bulk Add Option dialog is displayed.

    netwitness_bulkaddoption.png

  7. Select either Import CSV File or Paste CSV Content. If you select:

    • Import CSV File:

      1. Click Next.

        The Import dialog is displayed.

      2. Click Add and select a .csv file from your network.

        netwitness_bulkaddoptioncsv.png

      3. Click Import.

        The event sources are added to the Event Source list.

    • Paste CSV Content

      1. Copy the contents of the .csv file and paste them into the dialog.

        netwitness_bulkaddoptionpaste.png

      2. Click Import.

        The event sources are added to Event Source List.

Export Event Sources in Bulk

Warning: When using a spreadsheet program to edit an exported event source CSV file, some data fields like numbers and dates can be re-formatted into the spreadsheet program’s native field types. This can cause issues when re-importing this information, as some data fields may be garbled or formatted incorrectly. This can be avoided by importing the CSV file into the spreadsheet program, and specifying all data fields as text values.

To export event source information:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Log Collection service.
  3. Select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.
  5. Select Check Point, File, Netflow, Logstash, ODBC, Plugins, SDEE, (Syslog for Remote Collectors) only, VMware, Windows, or Windows Legacy (SNMP does not have an Export function.).
  6. In the Sources panel, select one or multiple event sources and click Export Source.

    The Bulk Export dialog is displayed.

    netwitness_bulkexpdialog.png

  7. Based on your selection:

    • All: NetWitness exports all event sources to a time-stamped CSV file.
    • Selected: NetWitness exports the event source or sources you selected to a time-stamped CSV file.
    • Cancel: NetWitness cancels the export.

The following is an example of a time-stamped CSV file that gets created with the event sources that you selected from the list.

netwitness_bulkexportcsvb.png

Edit Event Sources in Bulk

To edit multiple event sources at once:

  1. On the Log Collector Event Sources tab, select Check Point, File, Netflow, Logstash, ODBC, Plugins, SDEE, Syslog, VMware, Windows, or Windows Legacy (SNMP does not have an Edit function.).
  2. In the Sources panel, select multiple event sources and click netwitness_edit_icon.png.

    The appropriate Bulk Edit dialog for the selected event source is displayed. The following figure is an example of Bulk Edit Source dialog for File event source parameters.

    netwitness_bulkeditexample.png

  3. Select the checkbox to the left of the fields that you want to modify (for example, Debug).
  4. Modify the selected parameters (for example, change Debug from Off to On).
  5. Click OK.

    NetWitness applies the same parameter value change to all of the selected event sources

Test Event Source Connections in Bulk

To test multiple event source connections at once:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services grid, select a Log Collector service.
  3. Select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Select the Event Sources tab, select Plugins, ODBC, Logstash or Windows (the other protocols do not have a bulk test connection function).
  5. Select one or more:

    • sources from the Sources panel for Plugins or ODBC
    • hosts from Hosts panel for Windows

    The Test Connection button is enabled.

    netwitness_lc_config_test_hosts.png

  6. Click netwitness_testconnection.png.

    The Bulk Test Connections dialog is displayed showing the current status of the test for each source. The status can be waiting, testing, passed or failed.

    If you choose to close the testing before it is completed, the testing stops and the Bulk Test Connections dialog closes.

After the testing is complete, the results are displayed in the Bulk Test Connections dialog.

See Also

You can use the Event Sources module ( netwitness_adminicon_25x22.png (Admin) > Event Sources) to create groups of event sources, typically imported from a CMDB, and to monitor event sources based on those groups. For details, see the following topics in the Event Source Management Guide:

  • Import Event Sources
  • Export Event Sources
  • Bulk Edit Event Source Attributes