Hosts can be laptops, workstations, servers, physical or virtual, where a supported operating system is installed. An Endpoint Agent can be deployed on a host with either a Windows, Mac, or Linux operating system. The installation process involves:

  1. (Optional) Configuring the Relay Server

Note: You must set up the default relay server before generating the Agent packager. Whenever the Relay server configuration is modified, agent policy is updated automatically. For more information on configuring the relay server, see Endpoint Configuration Guide.

  1. Generating an agent packager
  2. Generating the agent installer

You can run the agent installer specific to your operating system to deploy agents on the hosts. The agents collect endpoint data and tracking events from these hosts. It monitors key behaviors related to process, file, registry, console, and network, and forwards them as events to the Endpoint Server over HTTPs.

Note: The Endpoint agent can operate either in Insights or Advanced mode depending on the policy configuration. For more information, see the NetWitness Endpoint Configuration Guide.

Supported Operating Systems

Note: From version 12.0 and higher, NetWitness Endpoint agents run on ARM devices running on Windows 10 and 11.

Windows Linux (The agent software runs only on x86_64 architecture) macOS
Windows 11 (up to version 22H2)

CentOS 7.x and 8.x

macOS Sonoma (14)
Windows 10 Kiosk Mode (64-bit)

Red Hat Enterprise Linux 7.x, 8.x, and 9.x

macOS Ventura (13)

Windows 10 (32 and 64-bit)
(up to version 22H2)

SUSE Linux Enterprise Server 12 SP1, 12 SP3, 12 SP4, 12 SP5, 15 SP1, and 15 SP4

macOS Monterey (12)

Windows 8.1 (32 and 64-bit)

Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS

macOS Big Sur (11 )

Windows 8 (32 and 64-bit)

Oracle Linux 8.8

macOS Catalina (10.15)

Windows 7 (32 and 64-bit)

Alma Linux 9.0

macOS Mojave (10.14)

Windows Server 2022
Windows Server 2022 Core

  macOS High Sierra (10.13)

Windows Server 2019
Windows Server 2019 Core

  macOS Sierra (10.12)

Windows Server 2016

  OS X El Capitan (10.11)

Windows Server 2012 R2

  OS X Yosemite (10.10)

Windows Server 2012

  OS X Mavericks (10.9)

Windows Server 2008 R2 (32 and 64-bit)

   
     

Hardware Requirements

The minimum requirements for installing, uninstalling, and upgrading the agent comply with the specific operating system requirements.

 

Enable Process Events Tracking on macOS 14

You can track Process events on macOS 14 after enabling audit control in your machine.

To enable Process events tracking on macOS 14

Note: The steps 1 and 4 are applicable to you only if the agent is installed and running on your machine. If the agent is not installed on your machine, skip the steps 1 and 4 and perform only the steps 2, 3, and 5.

  1. Stop NetWitness agent by running the following command.

    sudo launchctl unload /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist

  2. Copy the audit service template config file to create a new config by running the following command.

    sudo cp /etc/security/audit_control.example /etc/security/audit_control

  3. Enable auditd service by running the following command.

    sudo launchctl enable system/com.apple.auditd

  4. Enable NetWitness agent by running the following command.

    sudo launchctl load /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist

  5. Reboot the system.

Disable Process Events Tracking on macOS 14

You can disable Process events tracking in your macOS 14 by disabling the already enabled audit control.

To disable Process events tracking on macOS 14

  1. Stop NetWitness agent by running the following command.

    sudo launchctl unload /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist

  2. Disable auditd service by running the following command.

    sudo launchctl disable system/com.apple.auditd

  3. Remove the audit service config file by running the following command.

    sudo rm /etc/security/audit_control

  4. Enable NetWitness agent by running the following command.

    sudo launchctl load /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist

  5. Reboot the system.

Installation Flowchart

The following flowchart illustrates the Endpoint agent installation process:

AgentIstSteps.jpg