Leonard Chvilicek

How To Replay Logs

Blog Post created by Leonard Chvilicek Employee on Oct 9, 2016


NwLogPlayer is a log replay utility that is available for Netwitness for Logs. This utility reads a log event text file that you have created by exporting the logs from Investigation. The first question that comes to mind is "Why would I want to do that?". There are three typical reasons why I use it. First, is when you are developing ESA rules and you need a specific set of crafted events to reproduce your conditions for your alert. Second, is when you are developing a custom parser for those "unknown" device types. Third, you have a system that is a lab or development system that does not have a an event source or the event source that you need.  I actually prefer to use an isolated lab/development system that has no other log sources other than what I replay to do my development work.  This way I can accurately track my replayed events vs my parsed events, so 100 replayed events should equal 100 parsed events.

 

To use the utility, all you need to do is install it on the system that you want to run it from. This can be any system in the Netwitness for Logs stack. I typically use the Log Decoder, as it the system I am working with the most. If the total space of the log sample files are not very large (less than 100M total), I just create a "/root/logsamples" directory and put them there, then delete them when I am finished. If I am working with large log sample files, I install NwLogPlayer on the main Broker server and use the server's "/var/netwitness/ipdbextractor/logsamples" directory as this is not typically used on most systems.

 

To Install NwLogPlayer:

  1. SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
  2. Type "yum install nwlogplayer"
  3. Type "y" to install
  4. Press "Enter"

 

To use NwLogPlayer:

  1. Upload your Log sample text files to your sample directory on system that you installed NwLogPlayer
  2. SSH into system that you installed NwLogPlayer
  3. Type "NwLogPlayer --file <Your Sample Log Text file> --server <Log Decoder IP or FQDN>"

 

Example:

Path = "/root/logsamples"

Log Sample File = "ESA-Alert-Firing-Sample.txt"
Virtual Log Collector = "VLC60.local"

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local

 

 

NwLogPlayer command line syntax:
--priority arg set log priority value
-h [ --help ]show this message
-f [ --file ] arg (=stdin) input file
-d [ --dir ] arg input directory
-s [ --server ] arg (=localhost) remote server
-p [ --port ] arg (=514) remote port
-r [ --raw ] arg (=0)Determines raw mode. 1= File contents will be copied line by line to the server. 0 = add priority mark. 3 = auto detect. 4 = envision stream. 5 = binary object. 6 = protobuf stream
-m [ --memory ] argSpeed test mode. Reads up to MB of messages from the file contents and replays.
--rate arg Number of events per second. No effect if rate > eps which program can achieve at continuous mode
--maxcnt arg max number of messages to be sent
-c [ --multiconn ] multiple connection
-t [ --time ] argsimulate time stamp time. Format as yyyy-m-d-hh:mm:ss
-v [ --verbose ] if true will verbose output
--ip arg simulate ip tag.
--devicetype arg simulate device type. Applies only to envision heades (raw=4).
--sslconnect with SSL
--certdir argOpenSSL certificate authority directory.
--clientcert arg use this PEM-encoded SSL client certificate
--clientkey arguse this PEM-encoded private key file. If not specified the clientcert path is used.
--udpsend in udp
-g [ --gzip ]treat input stream as compressed gzip
--versionoutput the version of this program

Outcomes