The decoders used in Netwitness. The job of a decoder is to select a parser to parse log files.
The Netwitness LogDeconder shows Service Type as unknown but I was expecting to see winevent_snare.
My NXLog config uses the Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); to send windows log data to the NETWITNESS collector/decoder.
The problem is the decoder is using unknown or rxlinux as service type not winevent_snare to parse my windows log files. I was looking for the decoder to use winevent_snare but it is not.
Does anyone have a working NXLog config file to collect windows event logs to Netwitness?
Thanks for you assistance,