Specify UNC (Universal Naming Convention) Paths

During configuration of a Log File Policy, you can specify the log file path. You can set one or more paths to be used by the agent to locate the log files. The path can be a standard Windows pathname (such as C:\Program Files\Apache\error_logs\logfile.log) or a UNC (Universal Naming Convention) pathname (\\host-name\share-name\file-path). This topic describes how to specify a UNC path.

Secure the UNC Path Location

When you use a UNC path to collect log data on a remote system, make sure that you secure the UNC path location. One solution that works with minimal risk in a Windows domain environment is to do the following:

  1. Create a share on the directory on the computer where the log data exists in isolation.
  2. Name the share to something like LOGDATA$ for example. (Shares can be hidden from curious browsers by adding a "$" to the end of the share name).
  3. Remove all the default share permissions except local admin so it can be changed.
  4. Add a share permission for the agent computer system. This allows any user on the agent system to access the shared location. On the agent system collecting the remote log data, nothing else should be required to properly collect the log data from the UNC path.

Note: You may not be able to view the UNC directory contents from file explorer. Seek advice from your IT or security group for additional guidence to setting up and securing a UNC directory share.

The following procedures describe how to:

Share a folder between machines in a domain

This procedure describes how to share a folder between Windows machines that are both in the same domain.

  1. Log on to a Domain member machine that contains the logs folder you want to collect using an agent.
  2. Right click on the folder you want to share with the agent to collect logs from, and click Properties: SHARE$ in this example.

    netwitness_unc_domain_properties.png

  3. Click Advanced Sharing, select Share this folder, and then click Permissions.

    netwitness_unc_domain_advanced.png

  4. Click Add, and then on the next window click Object Types, check Computers, hit OK.

    netwitness_unc_domain_objecttypes.png

  5. Search for the Agent computer name as shown below and click OK.

    netwitness_unc_domain_agentname.png

  6. In the Permissions screen, provide Read permission to the agent, click Apply, and then click OK.

    netwitness_unc_domain_readpermission.png

  7. Remove Everyone from the Share Permissions list.

    netwitness_unc_work_removeeveryone_322x399.png

  8. Verify that now the SHARE$ folder status is correct, and note the network path so that you can enter it later, when you configure the policy that will use this shared folder.

    netwitness_unc_domain_verify.png

Share a folder between machines in a Workgroup

This procedure describes how to share a folder between Windows machines that are both in the same Workgroup.

  1. Log on to a workgroup machine that contains the logs folder you want to collect using an agent.
  2. Create a non-admin user for log collection: Reader in this example.

    netwitness_unc_work_createuser.png

  3. Right click on the folder you want to share with the agent to collect logs from, and click Properties: SHARE$ in this example.
  4. Click the Sharing tab, then click Share.

    netwitness_unc_work_properties.png

  5. Choose the newly-created user and click Add.

    netwitness_unc_work_shareuser.png

  6. Select the Read permission and click Share.

    netwitness_unc_work_readpermission.png

  7. Log onto the Agent to add credentials, so that the system can read logs from the shared folder.

    1. Download the psexec tool from the Microsoft web site.
    2. Run the following command:

      psexec -i -s cmd.exe

      A new command window opens, running as system.

    3. In the command window, run the following command to cache credentials for the newly-created user to access logs on shared folder from a workgroup machine:

      net use \\hostname of machine with logs\Share$

      For example:

      net use \\WGWINAGENT2\Share$

    4. Provide the username and password for the non-admin user created earlier (in step 2).

      netwitness_unc_work_command_451x135.png

    This command adds credentials to read logs from the shared folder on the workgroup machine.