Configure Windows Collection

Document created by RSA Information Design and Development Employee on Sep 18, 2019Last modified by RSA Product Team on Jul 21, 2020
Version 41Show Document
  • View in full screen mode

Windows Collection in RSA NetWitness® Platform

NetWitness Platform provides several ways to collect logs from Microsoft Windows machines. Each method has advantages and disadvantages, as well as different methods of configuration.

Basically, NetWitness Platform provides the following ways to collect Windows logs:

  • Windows Remote Management (WinRM): RSA provides a Powershell script, winrmconfig, that you can use to automate much of the configuration process.
  • Intersect Alliance Snare Agent: a third-party software tool that can collect audit log data from Windows
  • Adiscon EventReporter: third-party software that provides centralized monitoring and reporting for Windows event log records
  • NetWitness Endpoint Agent for Windows: you can install Endpoint Agents on each of your Windows machines, which can monitor the behavior of all Windows endpoints in your network.
  • Windows Legacy: the legacy collector is used to collect Windows logs from Windows Servers up to 2003.

The following table describes details for each option: use these details to help determine how you choose to collect Windows Logs in your environment.

MethodRequires installing an agentUses Encrypted TransportMethod of transportProvided by RSAAbility to process local files in addition to Windows Event LogsRequires paymentCustom event logsNotes
NWE AgentYesConfigurable to use TLS SyslogSyslog/TLS SyslogYesYesNoYesHost Telemetry Data is also collected
SnareYesConfigurable to use TLS SyslogSyslog/TLS SyslogNoYesYesYes

Snare was free for a long period. After they began to charge, NXLog stepped in and now integrates very similarly with NetWitness.

NXLogYesConfigurable to use TLS SyslogSyslog/TLS SyslogNoYesNo Cost for basic functionalityYes
Event ReporterYesConfigurable to use TLS SyslogSyslog/TLS SyslogNoYesYesYes 
Legacy CollectorNot on Target MachinesUses Encrypted TransportWMI/SMBYesNoNoYes, Limited 

For the details on how to configure and collect logs using each of these methods, please see the individual guide for that method: