• Centralized Backup & Restore of NetWitness Version 11.2+  (A Wrapper Script for NRT)

    NOTE:  Updated to support 11.4.1.2Scenario You need to remotely backup your NetWitness hosts to a central location, to satisfy Disaster Recovery Requirements, perform a Tech Refresh, or to be prepared for RMA rep...
    John Snider
    last modified by John Snider
  • Linux log with syslog PRI not parsed

    Hello,   I have a parsing issue with the following Linux log : <37>Jan  4 19:56:01 hostname PAM-unixteam[2373]: pam_sm_acct_mgmt(service=crond, terminal=cron, user=root, ruser=UNDEF, rhost=UNDEF) This...
    Yacine BERREZOUG
    last modified by Yacine BERREZOUG
  • Monitoring Concentrator with OSSEC HIDS

    Hi everyone, I installed OSSEC HIDS on Concentrator server, what files&directories do you prefer to monitor with OSSEC?
    Azim Afgan
    created by Azim Afgan
  • Using RSA Logs and/or Packets to Send or Receive Data from/to LogStash – Putting it all together - Demonstration

    What is LogStash: LogStash is an Elastic product that can collect, parse, and transform logs to be presented to some type of output such as an Elastic Stack or a RSA Decoder or Virtual Log Collector. https://www.ela...
    Thomas Jones
    last modified by Thomas Jones
  • Interface Bonding - Putting it all together

    What is bonding? Bonding protocol - Wikipedia  Generally speaking, in the Linux world, this action combines multiple physical interfaces into one or more logical interface.   Why you may want to bond? Ti...
    Thomas Jones
    last modified by Thomas Jones
  • Consolidating your backups and maximizing NRT (NetWitness Recovery Tool)

    Use this process if you would like full control of your backups, otherwise I advise you use the NRT Wrapper Method for an automated approach, - Centralized Backup & Restore of NetWitness Version 11.2+  (...
    Thomas Jones
    last modified by Thomas Jones
  • The RabbitMQ file grows to fill the /var/log/RabbitMQ volume, preventing services from starting on RSA NetWitness Host

    Hello,   The /var/log/RabbitMQ file grows to occupy all of the available space in the /var/log/RabbitMQ partition preventing services such as the nwlogcollector (and other services) from starting.   Can an...
    Kranthi Kanapala
    last modified by Kranthi Kanapala
  • RSA NetWitness Storage Retention Script

    Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention a...
    Naushad Kasu
    last modified by Naushad Kasu
  • Unable to long in through browser

    Please help. I am unable to login to netwitness 11 through http, but I can through NwConsole  I am getting failed to retrieve RMISserver in the logs and socket error in the console command WhatIsWrong  NW...
    muawyah odeh
    last modified by muawyah odeh
  • Amazon Cloudwatch Event Source Log Configuration Guide

    RSA Product Team
    last modified by RSA Product Team
  • Description in ESA SMTP Template

    Hello.   How can I include Description Field of ESA Rule in ESA SMTP Template. I've tried ${description} and ${description?html} - Health&Wellness generates error.   Is there the list of variables/fie...
    Maxim Marchenko
    last modified by Maxim Marchenko
  • Comparing two different types of meta in ESA Rule

    Hello.   It may be a stupid question but I'm not a programmer.   So, how can I compare two different types of meta in ESA Rule(EPL) statement.   I need to compare string with string[] user_dst ...
    Maxim Marchenko
    last modified by Maxim Marchenko
  • Custom Flat File Log Collection with NW-Endpoint 11.4

    22APR2020 - UPDATE: Naushad Kasu has posted a video blog of this process and I have posted the template.xml and NweAgentPolicyDetails_x64.exe files from his blog here.   08APR2020 - UPDATE: adding ...
    Josh Randall
    last modified by Josh Randall
  • Archiver Data Addition

    Dear Team, We have two Archiver available one in DC & Other in DR in our environment and the logs are being forwarded from single event source to both the Archiver via decoder but due to the issue with the forwar...
    socuser .
    last modified by socuser .
  • Collecting Sysmon logs via WinRM

    Sysmon service is running and generating events that I see in Event Viewer. I've add the channel: Microsoft-Windows-Sysmon/Operational on the Log Collector. But I don't see Sysmon logs in Netwitness Investigate. I see...
    Jay Alexander
    last modified by Jay Alexander
  • Error while perform migrate & upgrade via ISO

    Hi,   We are migrate and upgrade from 10.6.6 to 11.3, using ISO to boot, while entering the setup prompt have this error;   "mount : special device /dev/VolGroup00/root does not exist cp: cannot stat...
    Mohd Amri Razlan
    last modified by Mohd Amri Razlan
  • RSA Response to SolarWinds/FireEye Attacks

    As you’ve surely seen, a recently discovered supply chain attack has impacted numerous organizations including corporations, government agencies, and nonprofits.  Information continues to emerge about the m...
    Arthur Fontaine
    last modified by Arthur Fontaine
  • Alert wise total count from MongoDB

    Hello,   Is there any way to pull the total alert count by the alert wise in ESA from mondoD (Backend). (ver.11.3)   Please share any ideas.   Regards Kranthi
    Kranthi Kanapala
    last modified by Kranthi Kanapala
  • Incident page issue

    Hi Everyone    I deploy RSA Netwitness 11.5 into my lab after that I change IP address on SA and component. Everything is fine, the only exception is I can't click on to event in Incident menu to see event d...
    pakorn amonstian
    created by pakorn amonstian
  • FireEye Breach - Implementing Countermeasures in RSA NetWitness

    What Happened On December 8th, 2020, FireEye announced that it had been the victim of a cyber attack perpetrated by an advanced nation state actor.  They've disclosed their research into the attack in a few place...
    Sean Ennis
    last modified by Sean Ennis