Overview

The NetWitness Export Connector is an input plugin for Logstash, used to export NetWitness Platform events and routes the data where you want, all in continuous, streaming fashion. Giving you the flexibility to unlock a variety of downstream use cases.

This plugin is installed on Logstash and integrates with NetWitness Decoders and Log Decoders. This plugin aggregates meta data and raw logs from the Decoder or Log Decoder and converts it to Logstash JSON object, which can easily integrate with numerous consumers such as Kafka, AWS S3, TCP, Elastic and others.

Install NetWitness Export Connector on the Logstash service. To activate the connector, restart the Logstash service.

Note: From 11.6 onwards, the Logstash server is packaged and supported along with the NetWitness Log Collector or Virtual Log Collector (VLC) service to provide easy access to Logstash. This is referred to as Managed Logstash and it eliminates the need for a separate Logstash server outside of the NetWitness Platform. For more information, see "Configure Logstash Event Sources in NetWitness" in the Log Collection Configuration Guide.

Work Flow of NetWitness Export Connector

Following diagram shows how NetWitness Export Connector works.

netwitness_logstash-netwitness-input-to-kafka_895x457.png

There are of three plugins available that helps with export.

  • Input plugin
  • Filter plugin (optional)
  • Output plugin
  1. The Input plugin collects the events from the event sources. You must install the NetWitness Export Connector to collect events from Decoder or Log Decoder. The NetWitness Export Connector uses NetWitness API that collects the following data and forwards it as Logstash messages.
    • Meta data and raw logs for Log Decoder

    • Meta only for packet decoder

The data is then forwarded to the Filter plugin.

  1. (Optional) The Filter plugin adds, removes, or modifies the received data and forwards it to the Output plugin. You can use the standard Logstash filter plugins to add, remove, or modify the data.

  2. The Output plugin sends the processed event data to the data warehouse destinations. You can use the standard Logstash output plugins to send the data.