Skip to content
  • There are no suggestions because the search field is empty.

Configure Windows Collection

Windows Collection in NetWitness® Platform

NetWitness Platform provides several ways to collect logs from Microsoft Windows machines. Each method has advantages and disadvantages, as well as different methods of configuration.

Basically, NetWitness Platform provides the following ways to collect Windows logs:

  • Windows Remote Management (WinRM): RSA provides a Powershell script, winrmconfig, that you can use to automate much of the configuration process.
  • Intersect Alliance Snare Agent: a third-party software tool that can collect audit log data from Windows
  • Adiscon EventReporter: third-party software that provides centralized monitoring and reporting for Windows event log records
  • NetWitness Endpoint Agent for Windows: you can install Endpoint Agents on each of your Windows machines, which can monitor the behavior of all Windows endpoints in your network.
  • Windows Legacy: the legacy collector is used to collect Windows logs from Windows Servers up to 2003.

The following table describes details for each option: use these details to help determine how you choose to collect Windows Logs in your environment.

  • Method: NWE Agent
  • Requires installing an agent: Yes
  • Uses Encrypted Transport: Configurable to use TLS Syslog
  • Method of transport: Syslog/TLS Syslog
  • Provided by RSA: Yes
  • Ability to process local files in addition to Windows Event Logs: Yes
  • Requires payment: No
  • Custom event logs: Yes
  • Notes: Host Telemetry Data is also collected

  • Method: WinRM
  • Requires installing an agent: No
  • Uses Encrypted Transport: Yes
  • Method of transport: HTTP/HTTPS
  • Provided by RSA: Yes
  • Ability to process local files in addition to Windows Event Logs: No
  • Requires payment: No
  • Custom event logs: Yes
  • Notes:

  • Method: Snare
  • Requires installing an agent: Yes
  • Uses Encrypted Transport: Configurable to use TLS Syslog
  • Method of transport: Syslog/TLS Syslog
  • Provided by RSA: No
  • Ability to process local files in addition to Windows Event Logs: Yes
  • Requires payment: Yes
  • Custom event logs: Yes
  • Notes:

    Snare was free for a long period. After they began to charge, NXLog stepped in and now integrates very similarly with NetWitness.


  • Method: NXLog
  • Requires installing an agent: Yes
  • Uses Encrypted Transport: Configurable to use TLS Syslog
  • Method of transport: Syslog/TLS Syslog
  • Provided by RSA: No
  • Ability to process local files in addition to Windows Event Logs: Yes
  • Requires payment: No Cost for basic functionality
  • Custom event logs: Yes

  • Method: Event Reporter
  • Requires installing an agent: Yes
  • Uses Encrypted Transport: Configurable to use TLS Syslog
  • Method of transport: Syslog/TLS Syslog
  • Provided by RSA: No
  • Ability to process local files in addition to Windows Event Logs: Yes
  • Requires payment: Yes
  • Custom event logs: Yes
  • Notes:

  • Method: Legacy Collector
  • Requires installing an agent: Not on Target Machines
  • Uses Encrypted Transport: Uses Encrypted Transport
  • Method of transport: WMI/SMB
  • Provided by RSA: Yes
  • Ability to process local files in addition to Windows Event Logs: No
  • Requires payment: No
  • Custom event logs: Yes, Limited
  • Notes:

For the details on how to configure and collect logs using each of these methods, please see the individual guide for that method: