Managing Event Source GroupsManaging Event Source Groups
When dealing with event source groups in NetWitness, note the following:
- An event source is essentially the combination of values for all of its attributes.
- An event source group is the set of event sources that match a set of criteria that are defined for that group.
For example, you might have the following groups:
- A group named Windows Devices, consisting of all the event source types associated with Microsoft Windows event sources (winevent_nic, winevent_er, and winevent_snare).
- A group named Low Priority Services, consisting of all services where the Priority attribute has been set lower than 5.
- A group named U.S. Sales Servers, where you gather event sources located in the U.S.A. and having an Organization attribute of Sales, Finance, or Marketing.
Manage Tab DetailsManage Tab Details
The Manage tab in the Event Source module provides an easy way to manage event sources. In this tab, you can:
- Set up event source groups in a consistent way.
- Work with event source attributes in a consistent, straightforward manner.
- Easily search through your entire set of event sources.
- Bulk edit and update your event sources and event source groups.
You can view the details about your event source groups by doing the following:
- Go to (Admin) > Event Sources.
- Select the Manage panel to see the details for your existing event source groups.
Note: When the system receives logs from an event source that does not currently exist in the Event Source List, NetWitness automatically adds the event source to the list. Additionally, if it matches the criteria for any existing groups, it becomes part of that group.
Default GroupsDefault Groups
NetWitness has several default groups. You can customize these as required and use them as templates for creating new groups.
The default groups are as follows:
- All Event Sources
- All Unix Event Sources
- All Windows Event Sources
- Critical Windows Event Sources
- PCI Event Sources
- Quiet Event Sources
You can edit any of these groups to investigate the rules that define the groups.
Note: You cannot edit or delete the All event source group.