This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Bulk Operations - Windows Legacy Cleanup

Bulk Operations - Windows Legacy Cleanup

EricPartington
Employee EricPartington
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2016-11-11 06:05 AM

Still got Windows Legacy collectors kicking around collecting logs ? 

Moving gradually to less systems being collected from that service and moving to WinRM and other windows log collections ? 

How do you remove entries in bulk from the windows legacy collector ?

 

  1. Once you are logged into RSA NW locate the Windows Legacy collector > Config > Event Sources > <DomainToRemoveFrom>
  2. Select the "all" checkbox to capture all hosts and click Export Source so you have a backup of the configuration before continuing.

  1. Determine the  list of the Hosts to remove from the configuration on that WLC and that Domain.
  2. There are a number of ways to perform bulk operations from the command line but today let's use the curl method.
  3. The basic method of using Curl (to test) is to modify the following line to suit your environment to test the login method and port connectivity
    1. curl -v -k -u <USERNAME>:<PASSWORD> "http://<WLCSERVERIP/WLCDOMAINNAME>:50101/logcollection/windowslegacy/eventsources/windows/<DOMAIN>?msg=ls&force-content-type=text/plain&expiry=600"
    2. This will print the output of the hosts for the DOMAIN entry on that WLC to verify that you have the right username/permissions and domain to perform the delete later on
  4. If that tests out good now you can create a shell script with one entry for each host you want to delete from the domain and WLC.
    1. curl -v -k -u <USERNAME>:<PASSWORD>"http://<WLCSERVERIP/WLCDOMAINNAME>:50101/logcollection/windowslegacy/eventsources/windows/<DOMAIN>?msg=delete&force-content-type=text/plain&expiry=600&name=<EVENTSOURCENAMETODELETE>
  5. You can use excel to create a template for the delete structure and concat columns togther to create the output (one per line).
  6. Save the output as a .sh (shell script)
  7. Move to a linux box / SA/ NW appliance to run
  8. Make executable and run
  9. Output will be 200 Ok for successful deletion (< HTTP/1.1 200 OK)

 

  • bulk
  • Collector
  • Configuration
  • delete
  • legacy
  • Logs
  • NetWitness
  • NW
  • NWP
  • rsa
  • RSA NetWitness
  • RSA NetWitness Platform
  • Windows
1 Like
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.