NwLogPlayer is a log replay utility that is available for Netwitness for Logs. This utility reads a log event text file that you have created by exporting the logs from Investigation. The first question that comes to mind is "Why would I want to do that?". There are three typical reasons why I use it. First, is when you are developing ESA rules and you need a specific set of crafted events to reproduce your conditions for your alert. Second, is when you are developing a custom parser for those "unknown" device types. Third, you have a system that is a lab or development system that does not have a an event source or the event source that you need. I actually prefer to use an isolated lab/development system that has no other log sources other than what I replay to do my development work. This way I can accurately track my replayed events vs my parsed events, so 100 replayed events should equal 100 parsed events.
To use the utility, all you need to do is install it on the system that you want to run it from. This can be any system in the Netwitness for Logs stack. I typically use the Log Decoder, as it the system I am working with the most. If the total space of the log sample files are not very large (less than 100M total), I just create a "/root/logsamples" directory and put them there, then delete them when I am finished. If I am working with large log sample files, I install NwLogPlayer on the main Broker server and use the server's "/var/netwitness/ipdbextractor/logsamples" directory as this is not typically used on most systems.
To Install NwLogPlayer:
- SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
- Type "yum install nwlogplayer"
- Type "y" to install
- Press "Enter"
To use NwLogPlayer:
- Upload your Log sample text files to your sample directory on system that you installed NwLogPlayer
- SSH into system that you installed NwLogPlayer
- Type "NwLogPlayer --file <Your Sample Log Text file> --server <Log Decoder IP or FQDN>"
Path = "/root/logsamples"
Log Sample File = "ESA-Alert-Firing-Sample.txt"
Virtual Log Collector = "VLC60.local"
NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local
|NwLogPlayer command line syntax:|