Skip to content
  • There are no suggestions because the search field is empty.

How to remove Log Collector hosts through the REST api

Issue

In the below example, we are using the file collection type and want to remove the nw_test event source:

On NetWitness UI -> Admin -> Services -> Log collector ->config ->event sources -> file , the below is the file config 
image.png
This can be done from the UI as well as the Rest API as explained below

Tasks

Overview: To remove event source 2k8r2-dc1.2k8r2-vcloud.local from the DC3 event category:

SA
 
1.  Enter the IP address of the log collector and port 50101 in the URL field of your browser:

REST

And select in this order ‘ logcollection -> windows -> eventsources’ until you arrive at the page which has the event category noted in the screenshot from the SA UI.  In this case ‘DC3’ :​

2.  ​The arrow in the following image points to the asterisk (*) next to the event category name

Asterisk
 
  • Click on the asterisk and it will open the following property window of the event category:
property
 
3.  Select ‘ls’ from the drop-down window and click the button ‘Send’

ls
 
4.  Copy the host name from the Output window:

Copy
 
5.  Select ‘delete’ in the drop-down box, and enter the following parameter as noted in the screenshot for this specific host that needs to be removed:
name=2k8r2-dc1_2k8r2-vcloud_local

Deleting
 
6.  If you need to remove all of the event sources from this event category, use the following parameter:
name=_ALL_

Removal

When finished, going back to the SA UI, you will see that the event category DC3 is still intact but the event source has been removed:

Event

If you do not see ‘success’ in the Output field after sending the ‘delete’ instruction, please contact RSA Support for assistance.
 

Resolution

Through the REST api, a number of configurations can be modified.  In this circumstance, specific event sources were removed from an event category by using the host name of the event sources.

Please find the screenshots below to facilitate removal of the event sources from a Log Collector using the REST api:

-Go to Log collector REST API : :50101/logcollection/ /eventsources

-for File collection type Go to  :50101/logcollection/file/eventsources

image.png


To remove event source nw_test from the   acf2tvm event category, 
click on (*) next to acf2tvm to display the options --> choose delete 
image.pngenter the name of the config to delete, in our case nw_test
image.png

Note: This process can also be done in Explore following the same directions if REST access is unavailable.


Product Details

NetWitness Product Set: NetWitness Logs and Network
NetWitness Product/Service Type: NetWitness Log Collector
NetWitness Version/Condition: 11.x ,12.x
Platform: CentOS, AlmaLinux

Summary

The following steps will allow you to remove event sources from a 11.x ,12.x Log Collector using the REST api.


Approval Reviewer Queue

Technical approval queue