Log Collection Architecture

This topic describes how NetWitness performs log collection.

How to Deploy Log Collection

You can deploy Log Collection according to needs and preferences of your enterprise. This includes deploying Log Collection across multiple locations and collecting data from varying sets of event sources. You do this by setting up a Local Collector with one or many Remote Collectors.

Components of Log Collection

The following figure shows all the components involved in event collection through the NetWitness Log Collector.

netwitness_lc_deployment_808x615.png

Local and Remote Collectors

In this scenario, log collection from various protocols like Windows, ODBC, and so on, is performed through both the Remote Collector and Log Collector service. If the log collection is done by the Local Collector, it is forwarded to the Log Decoder service, just like the local deployment scenario. If the log collection is done by a Remote Collector, there are two methods in which these are transferred to the Local Collector:

  • Pull Configuration - From a Local Collector, you select the Remote Collectors from which you want to pull events.
  • Push Configuration - From a Remote Collector, you select the Local Collector to which you want to push events.

Note: Typically, the Push configuration is used. Pull is available if you have a DMZ in your environment. Less secure network segments are not allowed to make connections to more secure network segments. With Pull, the Log Collector (or Virtual Log Collector) in the secure network initiates the connection to the VLC in the less secure network, and the logs are then transferred without breaking the connection rules.

You can configure one or more Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from one or more Remote Collectors.

Additionally, you can set up a chain of Remote Collectors for which you can configure:

  • One or more Remote Collectors to push event data to a Remote Collector.
  • A Remote Collector to pull event data from one or more Remote Collectors.

The following figure illustrates how the Local and Remote Collectors interact to collect events from all of your locations.

netwitness_rc-deployment_500x402.png

Windows Legacy Remote Collector

The NetWitness Windows Legacy Collector is a Microsoft Windows based remote log collector (RC) which can be installed on a Windows domain.

It supports collection from:

  • Windows 2003 and earlier event sources
  • NetApp ONTAP host evt files

The following figure illustrates the deployment required to collect events from Windows Legacy event sources.

netwitness_windows_legacy_dataflw_500x383.png