Log Collection Basics

How Log Collection Works

The Log Collector service collects logs from event sources throughout the IT environment in an organization and forwards the logs to other NetWitness components. The logs and the descriptive content are stored as meta data for use in investigations and reports.

Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. In most cases, your Information Technology (IT) team configures event sources to send their logs to the Log Collector service and the NetWitness administrator configures the Log Collector service to poll event sources and retrieve their logs. As a result, the Log Collector receives all logs in their original form.

Collection Protocols

NetWitness can collect logs from a wide variety of event sources. When you are configuring log collection for a specific event source, you need to know, first and foremost, the protocol that is used to collect the logs.

Collection Protocol Description
Check Point

Collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs. For details, see Configure Check Point Event Sources in NetWitness.


Collects events from log files. Event sources generate log files that are transferred using a secure file transfer method to the Log Collector service.

For details, see Configure File Event Sources in NetWitness.

Note: In NetWitness 11.4 and later, you can perform File Log collection for many event sources using Endpoint Agents, thus simplifying the collection process. For details, see the NetWitness Endpoint Configuration Guide. For a list of which event sources are supported, see the section "Currently Supported File Log Event Source Types."


Accepts events from Netflow v5 and Netflow v9. For details, see Configure Netflow Event Sources in NetWitness.


Collects events from event sources that store audit data in a database using the Open Database Connectivity (ODBC) software interface. For details, see Configure ODBC Event Sources in NetWitness.


The Plugins collection is a generic collection framework for collecting events using external scripts written in other languages. NetWitness currently provides collection for Amazon Web Services (AWS) CloudTrail and Microsoft Azure.

Customers can use this framework to develop their own collection protocols.


Collects Intrusion Detection System (IDS) and Intrusion Prevention Service (IPS) messages.
For details, see Configure SDEE Event Sources in NetWitness.


Accepts SNMP traps. For details, see Configure SNMP Event Sources in NetWitness.


Accepts messages from event sources that issue syslog messages. For details, see Configure Syslog Event Sources.

Note: You do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors.


Collects events from a VMware virtual infrastructure. For details, see Configure VMware Event Sources in NetWitness.


Collects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008. For details, see Configure Windows Event Sources in NetWitness.


Utilize Logstash as a collection method, leveraging the various number of plugins supported by Logstash, such as:

  • Custom - This send the events from Logstash to NetWitness Platform.
  • Filebeat- This collects events from file.
  • Auditbeat - This collects audit events from an operating system (for example CentOS).
  • Export connector - This exports events from Decoder or Log Decoder to third party system.

By default, Logstash version 7.10.0 is installed with all standard Logstash plugins (Beats, Export connector and so on) when Log collector is installed.
For more information see, Configure Logstash Event Sources in NetWitness.

Windows Legacy

Collects events from:

  • Older Windows versions such as Windows 2000 and Window 2003 and collects from Windows event sources that are already configured for enVision collection without having to reconfigure them.
  • NetApp ONTAP appliance event source so that you can now collect and parse NetApp evt files.
  • For more information, see.Windows Legacy and NetApp Collection Configuration.

Note: You install the NetWitness Windows Legacy Collector on a physical or virtual Windows 2008 R2 SP1 64-Bit server using the SALegacyWindowsCollector-version-number.exe.