• NetWitness 11 virtual demo environment with limited resources

    Hello, I'm looking for a way to install NetWitness 11  demo system on vmware with limited resources, so I would be grateful for any suggestions how to do it properly. Is it possible to lower amount of ...
    Marcin Filipiak
    last modified by Marcin Filipiak
  • VLC Shovel Fail

    I deployed a new Log Decoder and added it to one of our VLC's but shovel is failing. The second LD added successfully. However, trying to find out why this particular LD shovel is failing. I cannot find a KB related t...
    Dwayne Fryer
    last modified by Dwayne Fryer
  • Retaining Archiver post Decommissioning

    Quick question – if I need to decommission the entire RSA NetWitness platform / servers, but still need access to Archiver logs for a certain duration, what all components will I have to keep alive?  ...
    Visham Rawat
    created by Visham Rawat
  • Raw logs and Meta from Archiver to Splunk

    We've got a requirement to move all our raw logs and meta stored on the Archiver to the Splunk platform.   Now, I see there's a document on the Community that speaks of RSA NetWitness and Splunk. I’ve g...
    Visham Rawat
    last modified by Visham Rawat
  • Custom idle period for specific user

    I'm facing this problem on RSA NetWitness: I've to give a custom idle period to a specific user. I cannot found a way to set the idle individually. The only way according to the rsa_nw_11.3_sys_security_user_mgmt_gui...
    Simone Pizzini
    last modified by Simone Pizzini
  • Log Parser tool on Linux

    Currently the Log Parser Tool is built for Windows and Mac.     Using Wine 4.x you can install and run the Log Parser tool on Linux (Mint and Ubuntu)   To install and run the LPT on linux you nee...
    Dave Glover
    last modified by Dave Glover
  • lost endpoint event alert details after 11.4 upgrade

    Internal Use - Confidential   Hi folks,   Looking for some guidance troubleshooting an issue that cropped up in a training NW Endpoint environment after upgrading from 11.3.0.0 to 11.4.   Looking at ...
    Eric Crawford
    created by Eric Crawford
  • File collection method to be used instead of Syslog collection method

    Task to accomplish: - Fortinet logs to be sent to log collector through file collection method (currently supported method is syslog). Require it to get parsed properly with file collection method like it is parsing t...
    Harshad Tuwar
    last modified by Harshad Tuwar
  • RSA Netwitness Logs and Network Product Information

    Hi,   Thank you for your question.   The NetWitness Logs and Packets is a previous product name we used for our platform, the databases and back-up features depend on the product version. What version/rele...
    Don Croad
    created by Don Croad
  • Unable to deploy ESA rule

    I get the following error while deploying the rule. I've check the syntax and it says rule is valid.   ESA was unable to deploy one or more rules, and these rules were disabled. Common issues include: missing me...
    Visham Rawat
    last modified by Visham Rawat
  • Difference between bytes, rbytes and bytes.src metakey

    I see bytes.src metakey is said to capture Bytes Sent. rbytes metakey is said to capture Bytes Received, and yet it is always empty. I do also see bytes metakey, the value of which is always greater than b...
    Visham Rawat
    last modified by Visham Rawat
  • BULK CLOSE

    Hi Team,   Recently did the version upgrade of the RSA to 11.3.2.0, Would like to know whether we have the option to add the notes to all the incidents selected while bulk closing them together. Is there any opt...
    support soc
    last modified by support soc
  • Upgrading "New" v10.6.6 Log Gear to v11.2.0

    RSA, We just deployed some new log gear and I need assistance with getting this gear upgraded to v11.2.0. I have attempted to upgrade the devices with our v11.2.0 ISO and build stick but the issue comes into place wh...
    Dwayne Fryer
    last modified by Dwayne Fryer
  • No syslog collection option on the VLC

    The syslog collection option isn't showing up for the remote log collector. Not sure why? The other 9 collection methods show, but syslog doesn't on the VLC.
    Visham Rawat
    last modified by Visham Rawat
  • Data Retention Scheduler best practices

    What are the best practices when using the Data Retention Scheduler for NW Packet decoders/concentrators? We typically set the retention to 30 to 90 days. The default for "Run" is every 15 minutes which seems quite lo...
    Richard van den Berg
    last modified by Richard van den Berg
  • RSA archer and NW compatibility

    I'm upgrading to RSA NW 11.3.1 from NW 11.2 and using RSA Archer V6.3 Is my rsa archer V6.3 is compatible with NW 11.3.1 or I need to upgrade archer also..??
    Rahul Chauhan
    last modified by Rahul Chauhan
  • Palo Alto syslog format for RSA Netwitness

    I would like to know what syslog format Palo Alto send to RSA Netwitness for default i'm set  BSD, but in other SIEM's Syslog formart are (CEF or leef).
    Leandro Chistoni
    last modified by Leandro Chistoni
  • System Maintenance: /var/log drive is full

    Hello Guys,   Good Day!   In our environment we are facing /var/log drive full in one pf log decoder.   After du - sh * running come to know that drive is full due to cd/var/log/rabbitmq . ...
  • SA server not able to fetch node ID details

    Hi all,    We are using netwitness 11.1.0 but due to some log collection issue we were trying to remove and re-add the Log collector service in SA server. But now we are not able to add the log collector se...
    rajbir singh
    last modified by rajbir singh
  • correct version not reflecting on host page

    I'm using version 11.2 but my VLC shows as 11.1 on host page, though they are already upgraded to 11.2. Need help..??
    Rahul Chauhan
    created by Rahul Chauhan