The decoders used in Netwitness. The job of a decoder is to select a parser to parse log files.

The Netwitness LogDeconder shows Service Type as unknown but I was expecting to see winevent_snare.

My NXLog config uses the Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); to send windows log data to the NETWITNESS collector/decoder.

The problem is the decoder is using unknown or rxlinux as service type not winevent_snare to parse my windows log files. I was looking for the decoder to use winevent_snare but it is not.

Does anyone have a working NXLog config file to collect windows event logs to Netwitness?

Thanks for you assistance,

AskedSeptember 29, 2021 - 1:50am

Answer (1)