In cases where issues have caused logs to be lost, or not correctly sent to the Log Decoder, you can resend messages in log files by resetting the bookmarks for those log files.
The following procedure describes how to reset bookmarks for file collection logs.
Construct a JSON File to Identify Agents and Event Source Types for Reset
First, you need to construct a JSON file using the following structure:
"sourceType" : ""
- agentIds: a list of the IDs for one or more Endpoint Agents: these are the individual agents on which the source log files reside.
- sourceType: this is a list of the file event source type or types for which you want the log file bookmarks to be reset.
For details on finding agent IDs and source types, see How to Find Agent IDs and Source Types below.
For example, the following source code snippet could be used to delete bookmarks for all sources on 3 agents:
Similarly, the following source code snippet could be used to delete bookmarks for apache sources on 3 agents:
Perform the following steps to reset the bookmarks that you specified in a JSON-formatted file:
- SSH to the NetWitness Platform Admin Server.
- Run nw-shell command. for details about using the NetWitness shell, see the Shell User Guide, available in RSA Link.
After nw-shell starts, connect to an Endpoint Server service, using the following command:
connect --service endpoint-server.serviceID
where serviceID is identifier for the Endpoint Server that hosts the agents you are changing. See How to Find Endpoint Service IDs for details on how to retrieve the service ID.
Change to the directory where the reset command resides:
Login with an administrator account.
Type the login command:
- Enter the user name for your admin account.
- Enter the password for your admin account.
Run the reset command: you need to provide the JSON path and filename that you created earlier.
invoke --file <path and filename for JSON>
invoke --file /tmp/test.json
The bookmarks for each log file identified in your JSON file are reset. The following image shows an example NetWitness Platform Shell session:
To find the Agent IDs for agents, go to Investigate > Hosts > <select an Agent>, then click the Host Details panel, and scroll down to the Agent section, where the Agent ID is shown:
To find the source types, go to Investigate > Hosts > <select an Agent>, then click the Policy Details panel, expand Agent File Logs, view the Source Settings for the source type name to use:
You can retrieve the service ID for an Endpoint Server by using SSH to connect to it.
To retrieve the service ID for an Endpoint Server:
- SSH to the NetWitness Platform Endpoint Server for which you need to retrieve the ID. The IP address is available under Admin > Hosts. The IP address for each host is listed in the Host column of the table.
View the file that contains the ID by running the following command:
It returns the Endpoint Server ID, for example: