This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Platform Threat Intelligence Documentation
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Products
- NetWitness Platform
- Documentation
- Threat Intelligence
- Documentation
- Configure Windows Collection
Product Resources
Configure Windows Collection
Configure Windows Collection
Windows Collection in NetWitness® Platform
NetWitness Platform provides several ways to collect logs from Microsoft Windows machines. Each method has advantages and disadvantages, as well as different methods of configuration.
Basically, NetWitness Platform provides the following ways to collect Windows logs:
- Windows Remote Management (WinRM): RSA provides a Powershell script, winrmconfig, that you can use to automate much of the configuration process.
- Intersect Alliance Snare Agent: a third-party software tool that can collect audit log data from Windows
- Adiscon EventReporter: third-party software that provides centralized monitoring and reporting for Windows event log records
- NetWitness Endpoint Agent for Windows: you can install Endpoint Agents on each of your Windows machines, which can monitor the behavior of all Windows endpoints in your network.
- Windows Legacy: the legacy collector is used to collect Windows logs from Windows Servers up to 2003.
The following table describes details for each option: use these details to help determine how you choose to collect Windows Logs in your environment.
| Method | Requires installing an agent | Uses Encrypted Transport | Method of transport | Provided by RSA | Ability to process local files in addition to Windows Event Logs | Requires payment | Custom event logs | Notes |
|---|---|---|---|---|---|---|---|---|
| NWE Agent | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | Yes | Yes | No | Yes | Host Telemetry Data is also collected |
| WinRM | No | Yes | HTTP/HTTPS | Yes | No | No | Yes | |
| Snare | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | No | Yes | Yes | Yes |
Snare was free for a long period. After they began to charge, NXLog stepped in and now integrates very similarly with NetWitness. |
| NXLog | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | No | Yes | No Cost for basic functionality | Yes | |
| Event Reporter | Yes | Configurable to use TLS Syslog | Syslog/TLS Syslog | No | Yes | Yes | Yes | |
| Legacy Collector | Not on Target Machines | Uses Encrypted Transport | WMI/SMB | Yes | No | No | Yes, Limited |
For the details on how to configure and collect logs using each of these methods, please see the individual guide for that method:
- WinRM Configuration: https://community.netwitness.com/t5/netwitness-platform-integrations/microsoft-winrm-configuration-guide/ta-p/565370
- Snare Agent: https://community.netwitness.com/t5/netwitness-platform-integrations/microsoft-windows-using-adison-event-reporter-or-intersect/ta-p/565982
- NXLog: https://community.netwitness.com/t5/netwitness-platform-integrations/nxlog-enterprise-rsa-netwitness-cef-implementation-guide/ta-p/558769
- Event Reporter: https://community.netwitness.com/t5/netwitness-platform-integrations/microsoft-windows-using-adison-event-reporter-or-intersect/ta-p/565982
- Endpoint Agent: https://community.netwitness.com/t5/netwitness-platform-integrations/microsoft-windows-via-rsa-netwitness-endpoint/ta-p/564851
- Windows Legacy: https://community.netwitness.com/t5/netwitness-platform-integrations/microsoft-windows-legacy/ta-p/542180
100% helpful
(2/2)
