• Working out size of log events on disk

    I'm going through the process of validating the storage configuration of our deployment and would like to work out the size on disk of the events of each log source type so I can calculate storage requirements based o...
    Jeremy Kerwin
    created by Jeremy Kerwin
  • Current API documentation?

    I've been struggling to find a copy of the API documentation. Any links I've been able to find are broken. Where can I locate it?
    Jacob Ruzi
    last modified by Jacob Ruzi
  • active directory user principal name

    active directory configuration
    Jouni Juntunen
    created by Jouni Juntunen
  • SAML and MFA

    Does NetWitness support SAML SSO authentication? With regards to Multi Factor Auth, are there other options aside from SecurID?   Thanks!
    Miguel Lallana
    last modified by Miguel Lallana
  • Warehouse cluster down in 11.3

    Dear All,   We have upgraded the RSA SA from 10.6.6 to 11.3. Post upgrade we observed the warehouseconnector service not exist. Cluster ip missing in the assignment. Due to this my warehouse cluster is not avai...
    Shahnawaz Kohati
    created by Shahnawaz Kohati
  • Recommended max EPS for SA devices

    I can't seem to find any documentation, so I am turning to the community in hopes of finding some.  I am in need of what the maximum recommended EPS is for all of the various SA devices.  I realizes this can...
    RSA Admin
    last modified by RSA Admin
  • Has anyone experienced queries not saving when constructing a rule?

    I am experiencing an issue that the "where" statements logic is not saving when I click save. I have never seen this issue before. As a result, the rules are returning no data. I validated that the rule works and that...
    Eric Schwartz
    last modified by Eric Schwartz
  • CertificateNotYetValidException error when upgrade version on Netwitness

    I try to install upgrade version 11.3.1.0 to ESA server from SA Server but I always failed with this error. below from chef-solo.log   Any Idea for this error?   Note:the ntp.conf on SA Server always was c...
    Worapot Ruanngam
    created by Worapot Ruanngam
  • training access

    Is it just me or is it impossible to get to the  RSA training sites.   I saw a blog post about a great and new system. But every link points to a DELL system where any pointer to RSA Netwitness leads to err...
    Hugo Van Der Kooij
    last modified by Hugo Van Der Kooij
  • Retention Rules & Purge logs from Archiver

    Hello,   I need to filter logs to be storage on Archiver. I need to disscard any log from device ip 1.1.1.1 and any log from device type 'winevent_nic' and from the device type 'winevent_snare' just need to keep...
  • rpcnetp.exe

    I have the rpcnetp.exe file on 84 clients On some clients, the IIOC score for the file is 400+. On some clients, the IIOC score is 10+.   1) Why is there a difference in the IIOC score for the exact same file?...
    T K Tan
    created by T K Tan
  • NetWitness Endpoint Analysis

    I am new NetWitness Endpoint 4.4. I need some advise/pointers on analysis in Netwitness. Please point me to some guides or posts that can help me to do my analysis. Advise on how to score some low hanging frui...
    T K Tan
    created by T K Tan
  • Total by month

    Hello, I am looking for a way run a report that will simply show a total number of sessions seen by netwitness sorted by month.  Is there a way to do this?   Thank you.
    Adam Hurrle
    created by Adam Hurrle
  • Syslog messages without PRI header

    I have some customers that have several products/solutions able to send syslog messages using CEF protocol but the decoder seems to descard them because the syslog messages came without the PRI header. My question her...
    Maximiliano Cittadini
    last modified by Maximiliano Cittadini
  • does ueba bundle needs license

    while using ueba bundle does needs extra license
    afsar pasha
    last modified by afsar pasha
  • Installing AWS CloudWatch Agent on RSA servers.

    Has anyone installed the AWS CloudWatch agent on the RSA 11.3.1 Netwitness servers?  Did it cause any issues with the servers and performance?
    Allan Lynch
    created by Allan Lynch
  • truncdomain option in feeds

    Hello,   I just wanted to know something about the "truncdomain" option in RSA Feeds   I have a CSV file containing a list of domain, and I send a log to rsa to check if it matches the feed   If a ta...
    yann levain
    created by yann levain
  • How to renew Puppet CA and Agent Certificates in 10.6.6.1

    Hello our Netwitness infrastructure is getting quite old and was installed over 5 years ago. As a result the Puppet CA certificate and all the agent certificates are due to expire in about 2 months time.   When...
    David Waugh
    last modified by David Waugh
  • as part of investigation i want to filter the large outbound traffic (1GB data in 1hr) from the  source ip's based on request.

    i have verified the logs messages, it is calculating the payload of request and response in meta key "large out bound data transfer". is there any other way to filter the only request base filter for the source ip lis...
    srikanth jonnalagadda
    last modified by srikanth jonnalagadda
  • meaning of this event logs

    Hi, May I know what does this means? his is being found in the logs "The Module: 'xxxxx' is NOT currently un-deployed"
    Xue YQ
    created by Xue YQ