NetWitness Legacy Windows Collection Update & Installation Instructions
NetWitness Legacy Windows collection collects event data from multiple Windows Event Source domains.
It supports collection from:
- Windows 2003 and earlier event sources
- NetApp ONTAP host evt files
IMPORTANT: This document is applicable only for upgrades to versions 12.5.1 and above. For versions 12.5 and below, please refer to the Windows Legacy Collection Guide for 12.5.
This document contains the following sections:
- Setup Requirements
- Update the NetWitness Legacy Windows Collector to 12.5.x
- Fresh Install 12.5.x Legacy Windows Collector
- Configure the Windows Server
- Change the Windows Legacy Collector IP Address
- Troubleshoot a Fresh or Upgrade Install
- (Optional) Backup and Restore Legacy Windows Collector
- Add a Windows Legacy Collector Host and Service in NetWitness Platform
Setup RequirementsSetup Requirements
This section provides the NetWitness Legacy Windows Collector Setup requirements.
To set up the NetWitness ® Platform Legacy Windows Collector, you need:
-
Any of the following physical or virtual systems that can access the desired event source domains for collection:
- Windows 2012 Server, or
- Windows 2016 Server, or
- Windows 2019 Server, or
- Windows 2022 Server
- A minimum of 20% free disk space. For example, you need at least 20 GB of free space if your system drive is 100 GB in size.
IMPORTANT: Do not install the Legacy Windows Collector on a domain controller.
Update the NetWitness Legacy Windows Collector from 10.6.x to 12.0Update the NetWitness Legacy Windows Collector from to 12.5.x
To update the NetWitness Legacy Windows Collector to 12.5.x on a Windows 64-Bit server:
Note: These instructions are applicable only for upgrades to versions 12.5.1 and above.
- Navigate to NetWitness Platform 12.5.1 Upgrade Guide and click NetWitness Platform 12.5.1 Legacy Windows Collector to download the ZIP archive.
- Unzip the downloaded file.
- Log on to a Windows 2012, 2016, 2019 or 2022 Server.
- Copy NWLegacyWindowsCollector-version-number.exe to the Windows Server.
- Right click on NWLegacyWindowsCollector-version-number.exe and select Run As Administrator.
- Click OK to continue installing the update.
- Click Install.
The Installation screens for the Legacy Windows Collector page are displayed. - Click Next.
The Installation Completed page is displayed. - Click Finish.
- Add or reconfigure the Windows Legacy Collector Host and Service in NetWitness Platform. For details on adding or reconfiguring Windows Legacy Collector Host and Service in Netwitness Platform, refer Add or Reconfigure a Windows Legacy Collector Host and Service in NetWitness Platform.
- Reboot the machine.
This completes the update of the NetWitness Legacy Windows Collector to 12.5.x.
Fresh Install 12.5.x Legacy Windows Collector
This section describes how to install the 12.5.x Legacy Windows Collector on a Windows 2012, 2016, 2019 or 2022 64-Bit server.
To install the NetWitness Legacy Windows Collector on a Windows 2012, 2016, 2019, or 2022 64-Bit server:
Note: These instructions are applicable only for NetWitness Platform versions 12.5.1 and above.
-
Navigate to NetWitness Platform 12.5.1 Upgrade Guide and click NetWitness Platform 12.5.1 Legacy Windows Collector to download the ZIP archive.
- Unzip the downloaded file.
- Copy the NWLegacyWindowsCollector-version-number.exe to the Windows Server.
-
Right click on the NWLegacyWindowsCollector-version-number.exe and select Run As Administrator.
The Welcome page of installation wizard is displayed.
-
Click Next.
The License Agreement page is displayed.
-
Read the License agreement carefully, select the I accept the terms in the license agreement radio button, and click Next.
The Ready to Install the Program page is displayed.
-
Click Install.
The Installation screens for the Legacy Windows Collector page are displayed.
The Installation Completed page is displayed.
8. Click Finish.
9. Reboot the machine.
This completes the installation of the 12.5.x Legacy Windows Collector. Please refer to the Windows Legacy and NetApp Collection Configuration Guide on NetWitness Community for instructions on how to configure Legacy Windows collection in NetWitness.
Configure the Windows ServerConfigure the Windows Server
For the NetWitness to communicate with the Windows Server, you need to allow Remote Event Log Management on the Windows Server.
- On the Windows Server, in Services, start the Remote Registry Service.
-
In Firewall, enable Remote Event Log Management for your network, as shown below.
Change the Windows Legacy Collector IP Address
Add a Windows Legacy Collector Host and Service in NetWitness Platform
For this version of the Windows Legacy Collector, NetWitness has provided a script that replaces the manual steps of adding a Windows Legacy Collector host and service in the NetWitness UI.
To create a Windows Legacy Collector Host and Service in NetWitness:
- SSH to your NetWitness server.
-
Run the following command:
wlc-cli-client --host-display-name hostDisplayName --service-display-name serviceDisplayName --host WLChostIPAddress --port 50101 --use-ssl false
The parameters are explained below:
- --host-display-name: the name for the host as it is displayed in the NetWitness Hosts page
- --service-display-name: the name for the host as it is displayed in the NetWitness Services page
- --host: the IP address for the Windows Legacy Collector
- --port: the port NetWitness uses to communicate with the Windows Legacy Collector. The recommended value is 50101.
-
You will be prompted to supply the following information:
- Windows Log Collector REST Username and Windows Log Collector REST Password: you must supply admin credentials for the Windows Legacy Collector.
- Security Server Username and Security Server Password: you must supply admin credentials for NetWitness.
After you complete this procedure, you should see the Windows Legacy Collector Host and Service as shown in the following screenshots.
Troubleshoot a Fresh or Upgrade Install
Logs to Examine for Information
Refer to the following log files if you need to troubleshoot problems:
- %systemDrive%\NetWitness\ng\logcollector\MessageBroker.log
- %systemDrive%\Program Files\NwLogCollector\installlog.txt
Run C:\Program Files\NwLogCollector\ziplogfiles.vbs to generate the hostname_WLCversion_timestamp.zip that contains all the log files and other information needed for troubleshooting.
Issues with the Lockbox
When you create a lockbox password on a new Windows Legacy Collector, you might see the following error:
failed to set secure storage password: failed to create lockbox: The Lockbox or cryptography library could not be found.
This can occur if you are running Windows Legacy Collector version 11.x.
If you encounter this issue, download and install both of the following redistributable packages:
-
Visual C++ 2010: https://www.microsoft.com/en-us/download/details.aspx?id=14632
-
Visual C++ 2012: https://www.microsoft.com/en-us/download/details.aspx?id=30679
SA Fails to Connect to WLC Showing RED in SA -> Hosts Page
This can occur during mixed mode upgrade. If you encounter this issue, follow these steps.
-
Copy the /etc/pki/nw/carlos/rsa-nw-sa-server-cert.pem from SA node to WLC node using the REST of WLC http://<wlc-ip>:50101/sys/trustpeer.
-
Restart the WLC node and then restart Jetty service from the SA node.
New WLCs Offline on the User Interface
Follow these steps to troubleshoot and resolve the issue of new WLCs appearing offline on the UI.
- Add the certificates to Trustpeer through the REST interface of the WLC by following these steps:
- Open your web browser and navigate to https://<WLC IP>:50101 to log into the WLC's REST page.
- Click Sys to access the Sys page.
- Go to /Sys/trustpeer to navigate to Trustpeer.
- Add Admin Server Certificate by following these steps:
- Click Add.
- Open the Admin Server's /etc/pki/nw/peer/sa-server/<UUID>.pem file.
- Copy the contents of this file.
- Paste the copied content into the text box on the sys/trustpeer WLC's REST page.
- Click Upload.
- Add the Admin Certificate by following these steps:
- Repeat the steps given under 'Add Admin Server Certificate' for the /etc/pki/nw/peer/admin-cert.pem file.
- Copy the contents of this file.
- Paste the copied content into the text box on the sys/caupload WLC's REST page.
- Click Upload.
- Restart the following services to apply the changes:
- NwLogcollector
- NwStatCollector
- RabbitMQ
- Check the UI to ensure the new WLCs are now online.
- Verify that the certificates have been added correctly, and the services are operational.
(Optional) Change the Windows Legacy Collector IP Address
Note: The procedures in this section apply to NetWitness 12.3 and later only.
On occasion, you may need to change the IP address of your Windows Legacy Collector. You may also need to edit any Destination Groups that you have configured.
The following procedure describes how to change the IP address for your system.
- Log onto the Windows Legacy Collector system and manually change the IP address on the system.
- In the UI, confirm that the Log Collector service corresponding to the WLC system shows up in error (Red). It might take some time for it to reflect the changed status.
-
On the NetWitness Server, use the nw-manage utility to view the host information for the WLC using the following command:
nw-manage --list-hosts
Sample output from running the command is shown here:
{
"id" : "fdb8150c-e040-459e-8cc5-3c60ec2c65ae",
"displayName" : "WLC-HOST-104",
"hostname" : "10.101.216.102",
"ipv4" : "10.101.216.102",
"ipv4Public" : null
} ]You use the value of "id" from your output in the following step.
-
Use the nw-manage utility to change the IP address of the WLC. For the host-id argument, use the value for the "id" that you noted from step 3. For the ipv4 value, use the new IP Address to which you are changing.
nw-manage --update-host --host-id "fdb8150c-e040-459e-8cc5-3c60ec2c65ae" --ipv4 10.101.216.105
- After you see the message that the previous command ran successfully, go to the NetWitness Server UI and verify that the WLC service is running without any errors.
Edit Destination Groups For Log Collectors and VLCs
The Windows Legacy Collector is often configured with Destination Groups to forward events to Log Collectors or Virtual Log Collectors. If the IP address of any such Destination LC or VLC is changed, the Windows Legacy Collector can no longer forward events. To remediate this, you must edit the Destination groups for the WLC, making sure to select the new LC or VLC IP Address.
Troubleshoot a Fresh or Upgrade Install
(Optional) Backup and Restore Legacy Windows Collector(Optional) Backup and Restore Legacy Windows Collector
This section tells you how to upgrade the NetWitness Legacy Windows Collector.
Note: You only need to do this if you are changing the Windows VM where you run the Windows Legacy Collector.
During upgrade, the backup script for the Windows Legacy Collector is invoked automatically and creates the configuration and run-time backups. After the installation is completed, run the Restore script to restore the configuration and run-time files for the updated Windows Legacy Collection.
Restore the Windows Legacy Collection Backup after Upgrade
To restore the Windows Legacy Collection setup on a newly upgraded NetWitness 11 platform:
- On the Windows Legacy Collector, open a command prompt window.
- Navigate to C:\Program Files\NwLogCollector, where the scripts are stored.
-
Run the following commands for restoring a backup:
- Backup configuration files: WLC-Restore.bat “Config-bkup_timestamp.zip”
- Backup run-time files: WLC-Restore.bat “Runtime-bkup_timestamp.zip”
-
Once the restore is completed, set the lockbox SSV to use the password that you created during 10.6.4 setup.
- In the Security Analytics menu, select Services, then select your Windows Legacy Collector and choose Explore.
- From the left navigation pane, expand logcollection > properties > crypto.
- Run the following command: op=setssv pw=password_for_<version no.>_lockbox, and hit Send.
Revert Windows Legacy Collection from 12.5.x Back to Previous Version
To revert the Windows Legacy Collection setup from 12.5.x back to previous version:
- Uninstall the 12.5.x Setup. Note the location of the backup folder created by the system during the uninstall procedure.
- Install the latest version of the Windows Legacy Collector.
- Navigate to C:\Program Files\NwLogCollector, where the scripts are stored.
-
Run the Restore script from backup folder present in C:\Program Files\NwLogCollector to restore the configuration and run-time setup on the Windows Legacy Collector.
- Backup configuration files: WLC-Restore.bat “Config-bkup_timestamp.zip”
- Backup run-time files: WLC-Restore.bat “Runtime-bkup_timestamp.zip”
-
Once the restore is completed, set the lockbox SSV to use the password that you created during 10.6.4 setup.
- In the Security Analytics menu, select Services, then select your Windows Legacy Collector and choose Explore.
- From the left navigation pane, expand logcollection > properties > crypto.
- Run the following command: op=setssv pw=password_for_<version no.>_lockbox, and hit Send. (Replace <version no.> with the previous version number.)