Skip to content
  • There are no suggestions because the search field is empty.

Configure Windows Legacy and NetApp Event Sources in RSA NetWitness

Configure Windows Legacy and NetApp Event SourcesConfigure Windows Legacy and NetApp Event Sources

This topic tells you how to configure Windows Legacy event sources in NetWitness.

The Windows Legacy collection protocol collects event data from Windows 2003 or earlier event sources, and from NetApp event sources.

PrerequisitesPrerequisites

Before you configure a Windows Legacy event source, make sure that you have:

  1. Installed the NetWitness Windows Legacy Remote Collector on a physical or virtual Windows 2008 64-bit server.
  2. Added this Windows Legacy Remote Collector to NetWitness.

Add a Windows Legacy Event SourceAdd a Windows Legacy Event Source

  1. Access the Services view by selecting netwitness_adminicon_25x22.png (Admin) > Services from the NetWitness menu.
  2. In the Services grid, select a Windows Legacy Log Decoder service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

  5. In the Event Sources tab, select one of the following options from the drop-down menu.

    • Windows Legacy/Windows.
    • Windows Legacy/NetApp.

  6. Configure the alias:

    1. Click netwitness_ic-add.png in the Event Categories panel toolbar.

      The Add Source dialog is displayed.

    2. Specify values for the parameters and click OK.

      netwitness_winleg-winaddsrc.png

      Note: By default, Remote Registry Initialization is selected. For details, see Remote Registry Access below.

      The newly added windows event source type is displayed in the Event Categories panel.

  7. Add the event source:

    1. Select the new alias in the Event Categories panel and click netwitness_ic-add.png in the Source panel toolbar.

      The Add Source dialog is displayed.

    2. Specify values for the event source parameters and click OK.

      netwitness_winleg-winaddsrc2_450x410.png

      For details, see Windows Legacy Configuration Parameters below.

      The newly added Windows event source is displayed in the Event Categories panel.

      netwitness_winleg-winaddsrc3_450x103.png

Remote Registry AccessRemote Registry Access

Windows Legacy Collector performs an initial verification of the event source before collecting data. By default, Windows Legacy Collector uses Windows Management Instrumentation (WMI) method to perform this initial verification. If you enable Remote registry access method, Windows Legacy Collector performs a remote registry query to verify the event source.

Configure Push or Pull between Log Collector and Windows Legacy CollectorConfigure Push or Pull between Log Collector and Windows Legacy Collector

You can configure the Windows Legacy Collector to push event data to a Local Collector, or you can configure a Local Collector to pull event data from the Windows Legacy Collector.

To configure a Local Collector or the Windows Legacy Collector:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Local Collector or the Windows Legacy Collection service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.

  4. Depending on your selection in step 2:

    • If you selected a Local Collector, the Remote Collectors tab is displayed. Select the Windows Legacy Collector from which the Local Collector pulls events in this tab.
    • If you selected a Windows Legacy Collector, the Local Collectors are displayed. Select the Local Collectors to which the Windows Legacy Collector pushes events in this tab.

Windows Legacy Configuration ParametersWindows Legacy Configuration Parameters

The following table describes the basic parameters for a Windows Legacy event source.

Note: Required parameters are marked with an asterisk. All other parameters are optional.

The following table describes the advanced parameters for a Windows Legacy event source.