Hosts can be laptops, workstations, servers, physical or virtual, where a supported operating system is installed. An Endpoint Agent can be deployed on a host with either a Windows, Mac, or Linux operating system. The installation process involves:
- (Optional) Configuring the Relay Server
Note: You must set up the default relay server before generating the Agent packager. Whenever the Relay server configuration is modified, agent policy is updated automatically. For more information on configuring the relay server, see Endpoint Configuration Guide.
- Generating an agent packager
- Generating the agent installer
You can run the agent installer specific to your operating system to deploy agents on the hosts. The agents collect endpoint data and tracking events from these hosts. It monitors key behaviors related to process, file, registry, console, and network, and forwards them as events to the Endpoint Server over HTTPs.
Note: The Endpoint agent can operate either in Insights or Advanced mode depending on the policy configuration. For more information, see the NetWitness Endpoint Configuration Guide.
Supported Operating Systems
Note: From version 12.0 and higher, NetWitness Endpoint agents run on ARM devices running on Windows 10 and 11.
| Windows | Linux (The agent software runs only on x86_64 architecture) | macOS |
|---|---|---|
| Windows 11 (up to version 22H2) |
CentOS 7.x and 8.x |
macOS Sonoma (14) |
| Windows 10 Kiosk Mode (64-bit) |
Red Hat Enterprise Linux 7.x, 8.x, and 9.x |
macOS Ventura (13) |
|
Windows 10 (32 and 64-bit) |
SUSE Linux Enterprise Server 12 SP1, 12 SP3, 12 SP4, 12 SP5, 15 SP1, and 15 SP4 |
macOS Monterey (12) |
|
Windows 8.1 (32 and 64-bit) |
Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS |
macOS Big Sur (11 ) |
|
Windows 8 (32 and 64-bit) |
Oracle Linux 8.8 |
macOS Catalina (10.15) |
|
Windows 7 (32 and 64-bit) |
Alma Linux 9.0 |
macOS Mojave (10.14) |
|
Windows Server 2022 |
macOS High Sierra (10.13) | |
|
Windows Server 2019 |
macOS Sierra (10.12) | |
|
Windows Server 2016 |
OS X El Capitan (10.11) | |
|
Windows Server 2012 R2 |
OS X Yosemite (10.10) | |
|
Windows Server 2012 |
OS X Mavericks (10.9) | |
|
Windows Server 2008 R2 (32 and 64-bit) |
||
Hardware Requirements
The minimum requirements for installing, uninstalling, and upgrading the agent comply with the specific operating system requirements.
Enable Process Events Tracking on macOS 14
You can track Process events on macOS 14 after enabling audit control in your machine.
To enable Process events tracking on macOS 14
Note: The steps 1 and 4 are applicable to you only if the agent is installed and running on your machine. If the agent is not installed on your machine, skip the steps 1 and 4 and perform only the steps 2, 3, and 5.
-
Stop NetWitness agent by running the following command.
sudo launchctl unload /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist
-
Copy the audit service template config file to create a new config by running the following command.
sudo cp /etc/security/audit_control.example /etc/security/audit_control
-
Enable auditd service by running the following command.
sudo launchctl enable system/com.apple.auditd
-
Enable NetWitness agent by running the following command.
sudo launchctl load /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist
-
Reboot the system.
Disable Process Events Tracking on macOS 14
You can disable Process events tracking in your macOS 14 by disabling the already enabled audit control.
To disable Process events tracking on macOS 14
-
Stop NetWitness agent by running the following command.
sudo launchctl unload /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist
-
Disable auditd service by running the following command.
sudo launchctl disable system/com.apple.auditd
-
Remove the audit service config file by running the following command.
sudo rm /etc/security/audit_control
-
Enable NetWitness agent by running the following command.
sudo launchctl load /Library/LaunchDaemons/com.rsa.nwe.agent.daemon.plist
-
Reboot the system.
Installation Flowchart
The following flowchart illustrates the Endpoint agent installation process:
