Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Naushad Kasu

RSA NetWitness Platform

2 Posts authored by: Naushad Kasu Employee

Often times, Administrators and Content Managers alike need more information regarding their current parser status (both Logs and Network [formerly Packets]). There is an older, fancier interface for Log parser meta keys located here:

https://community.rsa.com/community/products/netwitness/blog/2017/11/13/rsa-meta-dictionary-tool

The script in this blog post is a bit more real-time and allows you to gain some additional visibility into your meta keys.

 

Pre-Requisites

 

Please ensure you have run the ssh-propagate.sh on your SA Server (10.x) or NW Server / Node0 (v11). The script requires access to downstream services using SCP for the log parsing functionality.

 

Synopsis

 

Log Parser -> Meta Key Mapping:
When run in Log mode with a specific parser as a parameter, this will output all of the meta keys used in that parser. It will also output the format and whether that key is "Passed to the Concentrator", that is, if the key has flag set to is Transient (not passed to Concentrator in the session) or None (passed to the Concentrator).

 

Network Parser -> Meta Key Mapping:
When run in Network mode with IP of the Network Decoder, will output all of the Enabled parsers with its respective keys.

White = Enabled
Yellow = Transient
Red = Disabled

 

Runtime

 

To run in Log mode:
Example: ./get-parser-keys.py -l <PARSER NAME> -i <LOG DECODER IP>
Example: ./get-parser-keys.py -l rhlinux -i 192.168.1.113

 

To run in Network mode:
Example: ./get-parser-keys.py -n -i <NETWORK DECODER IP>
Example: ./get-parser-keys.py -n -i 192.168.1.112


Sample Output

 

Log Parser -> Meta Key Mapping

 


Network Parser -> Meta Key Mapping

 

Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention across our deployment in a single instance or view.

 

Below you will find several scripts that will help us gain this visibility quickly and easily.

 

Update: Please grab the latest version of the script, some bugs were discovered that were fixed.

 

How It Works:

 

1. Dependency: get-all-systems.sh (attached) both v10 and v11 version for your particular environment. Please run this script prior to running the get-retention.py as it requires the 'all-systems' file which contains all of your appliances & services.

2. We then read through the all-systems file and look for services that have retention e.g. EndpointLogHybrid, EndpointHybrid, LogHybrid, LogDecoder, Decoder, Concentrator, Archiver.

3. Finally we use the 'tlogin' functionality of NwConsole to allow cert-based authentication, thus, no need to run this script with username/password as input to pull database statistics and output the retention (in days) for that particular service.

 

Instructions:

 

1. Run ./get-all-systems_v10.sh (for 10.x systems) or ./get-all-systems_v11.sh (for 11.x systems)

2. Run ./get-retention.py  (without any arguments). This MUST be run from Puppetmaster (v10) or Node0 (v11).

 

Sample Run: 

 

Please feel free to provide feedback, bug reports etc...

Filter Blog

By date: By tag: