Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention across our deployment in a single instance or view.
Below you will find several scripts that will help us gain this visibility quickly and easily.
Update: Please grab the latest version of the script, some bugs were discovered that were fixed.
How It Works:
1. Dependency: get-all-systems.sh (attached) both v10 and v11 version for your particular environment. Please run this script prior to running the get-retention.py as it requires the 'all-systems' file which contains all of your appliances & services.
2. We then read through the all-systems file and look for services that have retention e.g. EndpointLogHybrid, EndpointHybrid, LogHybrid, LogDecoder, Decoder, Concentrator, Archiver.
3. Finally we use the 'tlogin' functionality of NwConsole to allow cert-based authentication, thus, no need to run this script with username/password as input to pull database statistics and output the retention (in days) for that particular service.
Instructions:
1. Run ./get-all-systems_v10.sh (for 10.x systems) or ./get-all-systems_v11.sh (for 11.x systems)
2. Run ./get-retention.py (without any arguments). This MUST be run from Puppetmaster (v10) or Node0 (v11).
Sample Run:
Please feel free to provide feedback, bug reports etc...
Great idea and effort but a shame that there has to be unofficial and unsupported scripts for eps, storage retention and a bunch of other basic things that should have been on Health and wellness since 10.2.
I will not bother raising an rfe because there is no point nor there is any hope with the process. Basic SIEM features are still basic features whether customers have asked for them or not.