Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Endpoint Config: Reset File Collection Bookmarks

Document created by RSA Information Design and Development on Jan 31, 2020Last modified by RSA Information Design and Development on Mar 17, 2020
Version 3Show Document
  • View in full screen mode
 

In cases where issues have caused logs to be lost, or not correctly sent to the Log Decoder, you can resend messages in log files by resetting the bookmarks for those log files.

Note: For security reasons, RSA does not allow resetting bookmarks from the agents. Rather, you must do so from an Endpoint Server.

The following procedure describes how to reset bookmarks for file collection logs.

Note: Currently, you can reset bookmarks for all sources or just one specific source, by providing a list in a JSON file.

Construct a JSON File to Identify Agents and Event Source Types for Reset

First, you need to construct a JSON file using the following structure:

{

"agentIds": [],
"sourceType" : ""

}

where:

  • agentIds: a list of the IDs for one or more Endpoint Agents: these are the individual agents on which the source log files reside.
  • sourceType: this is a list of the file event source type or types for which you want the log file bookmarks to be reset.

For details on finding agent IDs and source types, see How to Find Agent IDs and Source Types below.

For example, the following source code snippet could be used to delete bookmarks for all sources on 3 agents:

{

"agentIds": ["43F27B6E-A02D-955A-9607-2DFC5D17B6E7",
   88AD4B2C-192B-B50E-A125-C05B801301AA"
   "3899038D-8F42-BC93-5BA7-ECBFC309D6A3"],
"sourceType": "ALL"

}

Similarly, the following source code snippet could be used to delete bookmarks for apache sources on 3 agents:

{

"agentIds": ["43F27B6E-A02D-955A-9607-2DFC5D17B6E7",
   88AD4B2C-192B-B50E-A125-C05B801301AA"
   "3899038D-8F42-BC93-5BA7-ECBFC309D6A3"],
"sourceType": "apache"

}

Reset Bookmarks

Perform the following steps to reset the bookmarks that you specified in a JSON-formatted file:

  1. SSH to the NetWitness Platform Admin Server.
  2. Run nw-shell command. for details about using the NetWitness shell, see the Shell User Guide, available in RSA Link.
  3. After nw-shell starts, connect to an Endpoint Server service, using the following command:

    connect --service endpoint-server.serviceID

    where serviceID is identifier for the Endpoint Server that hosts the agents you are changing. See How to Find Endpoint Service IDs for details on how to retrieve the service ID.

  4. Change to the directory where the reset command resides:

    cd endpoint/command/reset-bookmark

  5. Login with an administrator account.

    1. Type the login command:

      login

    2. Enter the user name for your admin account.
    3. Enter the password for your admin account.
  6. Run the reset command: you need to provide the JSON path and filename that you created earlier.

    invoke --file <path and filename for JSON>

    For example:

    invoke --file /tmp/test.json

The bookmarks for each log file identified in your JSON file are reset. The following image shows an example NetWitness Platform Shell session:

How to Find Agent IDs and Source Types

To find the Agent IDs for agents, go to Investigate > Hosts > <select an Agent>, then click the Host Details panel, and scroll down to the Agent section, where the Agent ID is shown:

To find the source types, go to Investigate > Hosts > <select an Agent>, then click the Policy Details panel, expand Agent File Logs, view the Source Settings for the source type name to use:

How to Find Endpoint Service IDs

You can retrieve the service ID for an Endpoint Server by using SSH to connect to it.

To retrieve the service ID for an Endpoint Server:

  1. SSH to the NetWitness Platform Endpoint Server for which you need to retrieve the ID. The IP address is available under Admin > Hosts. The IP address for each host is listed in the Host column of the table.
  2. View the file that contains the ID by running the following command:

    cat /etc/netwitness/endpoint-server/service-id

    It returns the Endpoint Server ID, for example:

    38909c2f-7a9b-415a-b567-f49a19cf250e

Previous Topic:Troubleshooting
You are here
Table of Contents > Appendices > Reset File Collection Bookmarks

Attachments

    Outcomes