Host GS: Hosts and Services Maintenance Procedures

Document created by RSA Information Design and Development on Jan 31, 2020Last modified by RSA Information Design and Development on Jan 31, 2020
Version 6Show Document
  • View in full screen mode
 

Every service requires a host. After you set up a host, you can assign services to and from this host to other hosts in your NetWitness Platform deployment.

Detailed workflow for deploying a host and maintaining hosts and services

                       
High-Level TaskDescription
Maintain a Host - Basics

The following maintenance tasks are shown in alphabetical order.

Maintain a Host from the Host Task List Dialog

You use the Host Task List dialog to manage tasks that relate to a host and its communications with the network. Several service and host configuration options are available for Core hosts. 

Maintain a Service

The following procedures describe how to maintain services.

Apply Version Updates to a Host

Use the following methods to apply version updates to a host.

Note: If you have changed your location of the repository, see Set Up an External Repository with RSA and OS Updates for instructions.

Complete the following tasks to update a host to a new version update.

Apply Updates from the Hosts View with RSA Live Update Repo Connection (Web Access)

Task 1. Populate Local Repo or Set Up an External Repo

When you set up your NW Server, you select the Local Repository (Repo) or an External Repository (Repo). The Hosts view retrieves version updates from the repo you selected.

If you select the Local Repo, you do not need to set it up, but you must make sure that it is populated with the latest version updates. See Populate Local Update Repository for instructions on how to populate it with a version update.

Note: If you selected an External Repo, you must set it up. For more information on how for instructions on how to populate it with a version update see Set Up an External Repository with RSA and OS Updates.

Task 2. Apply Updates from the Hosts View to Each Host

Use one of the following methods to apply version updates (for example, 11.4.0.0) to a host.

Online Method (Connected to RSA Live)

Use this method if NetWitness Platform has an RSA Live Update Repo Connection (Web Access).

Task 1. Populate Local Repo or Set Up an External Repo

When you set up your NW Server, you select the Local Repository (Repo) or an External Repository (Repo). The Hosts view retrieves version updates from the repo you selected.

If you select the Local Repo, you do not need to set it up, but you must make sure that it is populated with the latest version updates. See Appendix A. Populate Local Repo for instructions on how to populate it with a version update.

Note: If you selected an External Repo, you must set it up. For more information on how for instructions on how to populate it with a version update see Appendix B. Set Up External Repo.

Task 2. Apply Updates from the Hosts View to Each Host

The Hosts view displays the software version updates available in your Local Update Repository, and you choose and apply the updates you want from the Host view.

This procedure tells you how to update a host to a new version of NetWitness Platform. 

  1. Log in to NetWitness Platform.
  2. Go to Admin > Hosts
  3. (Conditional) Check for the latest updates.

    The Update drop down list

  4. Select a host or hosts.

    You must update the NW Server to the latest version first. You can update the other hosts in any sequence you prefer, but RSA recommends that you follow the guidelines in Running in Mixed Mode.
    Update Available is displayed in the Status column of the Hosts list view if you have an version update in your Local Update Repository for the selected hosts.

  5. Select the version you want to apply from the Update Version column.

    Example of a drop-down list of versions in the Update Version column

    If you:

    • Want to update more than one host to that version, after you update the NW Server host, select the checkbox to the left of the hosts. Only currently supported update versions are listed.
    • Want to view a dialog with the major features in the update, click the The inline help icon to the right of the update version number. The following is an example of this dialog.

      Example of the Update Available dialog with Close button

    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message New updates are available is displayed, and the Status column updates automatically to show Update Available. By default, only supported updates for the selected host are displayed.
  6. Click Update > Update Host from the toolbar.

     A dialog is displayed with information about the selected update. Click Begin Update.

    Example of the Update Available dialog with Begin Update button

    The Status column tells you what is happening in each of the following stages of the update:

    • Stage 1 - Downloading update packages - downloads the repository artifacts to the NW Server applicable to the services on the host you chose.
    • Stage 2 - Configuring update packages - configures update files in to correct format.
    • Stage 3 - Update in progress - updates host to the new version.
  7. When you see Update in progress, refresh the browser.

    This may display the NetWitness Log In screen from which you log in again and navigate back to the Host view.

    After the host is updated, NetWitness Platform prompts you to Reboot Host.

  8. Click Reboot Host from the toolbar.

    NetWitness Platformshows the status as Rebooting... until the host comes back online and the Status shows Up-to-Date. Contact Customer Care if the host does not come back online.

Note: If you have the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) enabled, opening core services can take approximately 5 to 10 minutes. This delay is caused by the generation of new certificates.

Offline Method from Hosts View

Use this method if NetWitness Platform does not have an RSA Live Update Repo Connection (No Web Access) and you want to apply updates from the Admin > Hosts view.

Note: The offline User Interface method is only available if you are upgrading a host from 11.3.1.0 or later to 11.4.0.0. If you are upgrading a host on an earlier version, you must use the Offline Method described in Offline Method Using Command Line Interface .

Follow these instructions to apply version updates from the User Interface without a NetWitness Platform connection to the Internet (for example, no Live connection). The follow rules apply when you apply version updates:

  • You must update the NW Server host first.
  • You can only apply a version that is the compatible with the existing host version.

Task 1. Populate Staging Folder (/var/lib/netwitness/common/update-stage/) with Version Updates

  1. Download .zip update package for the version you want (for example, netwitness-11.4.0.0.zip) from RSA Link to a local directory.
  2. SSH to the NW Server host.
  1. Copy update package you want from the local directory to the /var/lib/netwitness/common/update-stage/ staging folder. For example:
    sudo cp /tmp/netwitness-<version-number>.zip /var/lib/netwitness/common/update-stage/

    Note: NetWitness Platform unzips the file automatically.

Task 2. Apply Updates from the Staging Area to Each Host

Caution: You must update the NW Server host before updating any Non-NW Server host.

  1. Log in to NetWitness Platform.
  2. Go to Admin > Hosts.
  3. Check for updates and wait for the update packages to be copied, validated, and ready to be initialized.

    Example of Initialize Update Package for RSA NetWitness Platform dialogs

    Ready to initialize the update packages is displayed if:

    • NetWitness Platform can access the update package.
    • The package is complete and has no errors.

    Refer to Appendix C. Troubleshooting Version Installations and Upgrades for instructions on how to troubleshoot errors (for example, Error deploying version <version-number> and Missing the following update package(s), displayed in the Initiate Update Package for RSA NetWitness Platform dialog.

  4. Click Initialize Update.

    Example of Initialize Update Package for RSA NetWitness Platform dialog

    It takes some time to initialize the packages because the files are large and need to be unzipped. After the initialization is successful, the Status column displays Update Available and you complete the rest of the steps in this procedure to finish the update of the host.

  5. Click Update > Update Hosts from the toolbar.

    Figure of update button with Update Host selected

  6. Click Begin Update from the Update Available dialog.

    After the host is updated, it prompts you to reboot the host.

  7. Click Reboot from the toolbar.

Offline Method Using Command Line Interface

Use this method if NetWitness Platform does not have an RSA Live Update Repo Connection (No Web Access) and you want to apply updates using the Command Line Interface.

If your RSA NetWitness Platform deployment does not have Web access, complete the following procedure to apply a version update.

  1. Download the .zip update package for the version you want (for example, netwitness-11.4.0.0.zip) from RSA Link to the /root directory.
  2. SSH to the NW Server host.
  3. Make a /tmp/upgrade/<version> staging directory for the version you want (for example, /tmp/upgrade/11.4.0.0).
    mkdir –p /tmp/upgrade/11.4.0.0
  4. Copy the .zip update package to the /root directory).

    Note: 1.) Make sure that you copy the netwitness-11.4.0.0.zip file to a directory path other than the staging directory path (for example, the /root directory). 2.) Make sure that you extract the rpm files to the staging directory path (for example, /tmp/upgrade/11.4.0.0 directory).

  5. Unzip the package into the staging directory you created (for example, /tmp/upgrade/11.4.0.0).
    unzip /root/netwitness-11.4.0.0.zip -d /tmp/upgrade/11.4.0.0
  6. Initialize the update on the NW Server.
    upgrade-cli-client --init --version 11.4.0.0 --stage-dir /tmp/upgrade/
  7. Apply the update to the NW Server.
    upgrade-cli-client --upgrade --host-addr <NW Server IP> --version 11.4.0.0
  8. Log in to NetWitness Platform, go to Admin > Hosts, and reboot the NW Server host in the Host view.
  9. For each component host:
    1. Apply the update to each component host:
      upgrade-cli-client --upgrade --host-addr <component-host IP address> --version 11.4.0.0
      The update is complete when the polling is completed.
    1. Log in to NetWitness Platform, go to Admin > Hosts, and reboot the component host in the Host view.

You can verify the version applied to the host with the following command.
upgrade-cli-client --list

Note: 1.) If you have DISA STIG enabled, opening Core Services can take approximately 5 to 10 minutes. This delay is caused by the generating of new certificates.
2.) If you have Unity storage, check the PowerPath status and verify the it can see the Unity device.
3.) If you get the error illustrated in the following example, the update installs correctly and no action is required. If you encounter additional errors during the update, contact Customer Support
2019-01-28 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)

 

Apply Version Update from Hosts View without RSA Live Update Repo Connection (No Web Access)

Note: This feature was introduced in 11.3.1. You can apply a version update to a host offline through the Hosts view after that host has been updated to 11.3.1.0.

Follow these instructions to apply version updates from the User Interface without a NetWitness Platform connection to the Internet (for example, no Live connection). The follow rules apply when you apply version updates:

  • You must update the NW Server host first.
  • You can only apply a version that is the compatible with the existing host version.

Task 1. Populate Staging Folder (/var/lib/netwitness/common/update-stage/) with Version Updates

  1. Download .zip update package for the version you want (for example, netwitness-11.4.0.0.zip) from RSA Link to a local directory.
  2. SSH to the NW Server host.
  1. Copy update package you want from the local directory to the /var/lib/netwitness/common/update-stage/ staging folder. For example:
    sudo cp /tmp/netwitness-<version-number>.zip /var/lib/netwitness/common/update-stage/

    Note: NetWitness Platform unzips the file automatically.

Task 2. Apply Updates from the Staging Area to Each Host

Caution: You must update the NW Server host before updating any Non-NW Server host.

  1. Log in to NetWitness Platform.
  2. Go to ADMIN > Hosts.
  3. Check for updates and wait for the update packages to be copied, validated, and ready to be initialized.

    Example of Initialize Update Package for RSA NetWitness Platform dialogs

    Ready to initialize the update packages is displayed if:

    • NetWitness Platform can access the update package.
    • The package is complete and has no errors.

    Refer to Troubleshooting Version Installations and Updates for instructions on how to troubleshoot errors (for example, Error deploying version <version-number> and Missing the following update package(s), displayed in the Initiate Update Package for RSA NetWitness Platform dialog.

  4. Click Initialize Update.

    Example of Initialize Update Package for RSA NetWitness Platform dialog

    It takes some time to initialize the packages because the files are large and need to be unzipped. After the initialization is successful, the Status column displays Update Available and you complete the rest of the steps in this procedure to finish the update of the host.

  5. Click Update > Update Hosts from the toolbar.

    Figure of update button with Update Host selected

  6. Click Begin Update from the Update Available dialog.

    After the host is updated, it prompts you to reboot the host.

  7. Click Reboot from the toolbar.

Apply Updates from the Command Line (No Web Access)

If your NetWitness Platform deployment does not have Web access, complete the following procedure to apply a version update. This means the NW Serer host is not connected to Live Services.

Note: In the following procedure, 11.4.0.0 is the version update used as an example in the code strings.

  1. Download .zip update package for the version you want (for example, netwitness-11.4.0.0.zip) from RSA Link to a local directory.
  2. SSH to the NW Server host.
  3. Make a /tmp/upgrade/<version> staging directory for the version you want (for example, tmp/upgrade/11.4.0.0).
    mkdir –p /tmp/upgrade/11.4.0.0
  4. Copy the .zip update package a directory on the to the NW Server other than the staging directory (for example /tmp directory).

  5. Unzip the package into the staging directory you created (for example, /tmp/upgrade/11.4.0.0) .
    unzip /<download-location>/netwitness-11.4.0.0.zip -d /tmp/upgrade/11.4.0.0
  6. Initialize the update on the NW Server.
    upgrade-cli-client --init --version 11.4.0.0 --stage-dir /tmp/upgrade/
  7. Apply the update to the NW Server.
    upgrade-cli-client --upgrade --host-addr <NW Server IP> --version 11.4.0.0
  8. Log in to NetWitness Platform and reboot the NW Server host in the Host View.
  9. Apply update to each non-NW Server host.
    upgrade-cli-client --upgrade --host-addr <non-NW Server IP address> --version 11.4.0.0
    The update is complete when the polling is completed.
  10. Log in to NetWitness Platform and reboot the host in the Host View.
    You can verify the version applied to the host with the following command:
    upgrade-cli-client --list

Populate Local Update Repository

NetWitness Platform sends version updates to the Local Update Repository from the Live Update Repository. Access to the Live Update Repository requires and uses the Live Account credentials configured under ADMIN > System > Live Services. In addition, you must check the Automatically download information about new updates every day checkbox under ADMIN > System > Updates to populate the Local Repo daily.

The following diagram illustrates how you obtain version updates if your NetWitness Platform deployment has web access.

Workflow for 11.x.x.x version update with web access

Note: When you make the initial connection with the Live Update Repository, you will be accessing all the CentOS 7 system packages and the RSA Production packages. This download of over 6.5 GB of data takes an indeterminate amount of time depending on your NW Server Internet connection and the traffic of the RSA repository. It is not mandatory to use the Live update repository. Alternatively you can use an external Repo.

To connect to the Live Update Repository, go to Admin > System, select Live Services in the options panel and make sure that credentials are configured (Connection light should be green). If it is not green, click Sign In and connect.

Note: If you need to use proxy to reach out to the Live Update Repository, you can configure the Proxy Host, Proxy Username, and Proxy Password. For more information see "Configure Proxy for NetWitness Platform" in the System Configuration Guide.

If your NetWitness Platform deployment does not have Web Access, you can use one of the following procedures to apply version updates to hosts.

The following diagram illustrates how you obtain version updates if your NetWitness Platform deployment does not have web access.

Workflow for 11.x.x.x version update with no web access

Set Up an External Repository with RSA and OS Updates

Note: In the following procedure, 11.4.0.0 is the version update used as an example in the code strings.

Complete the following procedure to set up an external repository (Repo).

Note: 1.) You need an unzip utility installed on the host to complete this procedure. 2.) You must know how to create a web server before you complete the following procedure.

  1. (Conditional) Complete this step if you have an external repo and you want to override it.
    • Case 1: You bootstrapped the host from an external repo and you want to upgrade using a local repo on the Admin Server.
      1. Create the /etc/netwitness/platform/repobase file.
        vi /etc/netwitness/platform/repobase
      2. Edit the repobase file so that the only information in the file is the following URL.
        https://nw-node-zero/nwrpmrepo
      3. Complete the instructions on how to run the upgrade using the upgrade-cli-client tool.
    • Case 2: You bootstrapped the host from local repo on the Admin server (NW Server host) and you want to use an external repo for the upgrade.
      1. Create the /etc/netwitness/platform/repobase file.
        vi /etc/netwitness/platform/repobase
      2. Edit the repobase file so that the only information in the file is the following URL.
        https://<webserver-ip>/<alias-for-repo>
      3. Complete the instructions on how to run the upgrade using the upgrade-cli-client tool.
        The instructions are in the Apply Updates from the Command Line (No Web Access).
  2. Set up the external repo.
    1. Log in to the web server host.
    2. Create directory to host the NW repository (netwitness-11.4.0.0.zip), for example ziprepo under web-root of the web server. For example, /var/netwitness is the web-root, run the following command string.
      mkdir -p /var/netwitness/<your-zip-file-repo>
    3. Create the 11.4.0.0 directory under /var/netwitness/<your-zip-file-repo>.
      mkdir -p /var/netwitness/<your-zip-file-repo>/11.4.0.0
    4. Create the OS and RSA directories under /var/netwitness/<your-zip-file-repo>/11.4.0.0.
      mkdir -p /var/netwitness/<your-zip-file-repo>/11.4.0.0/OS
      mkdir -p /var/netwitness/<your-zip-file-repo>/11.4.0.0/RSA
    5. Unzip the netwitness-11.4.0.0.zip file into the /var/netwitness/<your-zip-file-repo>/11.4.0.0 directory.
      unzip netwitness-11.4.0.0.zip -d /var/netwitness/<your-zip-file-repo>/11.4.0.0
      Unzipping netwitness-11.4.0.0.zip results in two zip files (OS-11.4.0.0.zip and RSA-11.4.0.0.zip) and some other files.
    6. Unzip the:

      OS-11.4.0.0.zip into the /var/netwitness/<your-zip-file-repo>/11.4.0.0/OS directory.
      unzip /var/netwitness/<your-zip-file-repo>/11.4.0.0/OS-11.4.0.0.zip -d /var/netwitness/<your-zip-file-repo>/11.4.0.0/OS
      The following example illustrates how the Operating System (OS) file structure appears after you unzip the file.

      The external url for the repo is http://<web server IP address>/<your-zip-file-repo>.

    7. Unzip the:
      RSA-11.4.0.0.zip into the /var/netwitness/<your-zip-file-repo>/11.4.0.0/RSA directory.
      unzip /var/netwitness/<your-zip-file-repo>/11.4.0.0/RSA-11.4.0.0.zip -d /var/netwitness/<your-zip-file-repo>/11.4.0.0/RSA
      The following example illustrates how the RSA version update file structure appears after you unzip the file.

    8. (Conditional - For Azure) Follow these steps for Azure update.
    1. mkdir -p /var/netwitness/<your-zip-file-repo>/11.4.0.0/OS/other
    2. unzip nw-azure-11.3-extras.zip -d /var/netwitness/<your-zip-file-repo>/11.4.0.0/OS/other
    3. cd /var/netwitness/<your-zip-file-repo>/11.4.0.0/OS
    4. createrepo
    1. Use the http://<web server IP address>/<your-zip-file-repo> in response to Enter the base URL of the external update repositories prompt from NW 11.4.0.0 Setup program (nwsetup-tui) prompt.

Create and Manage Host Groups

The Hosts view provides options for creating and managing groups of hosts. The Groups panel toolbar includes options for creating, editing, and deleting host groups. Once groups are created, you can drag individual hosts from the Hosts panel into a group.

Groups may reflect functional, geographical, project-oriented, or any other organization principle that is useful. A host may belong to more than one group. Here are some examples of possible groupings:

  • Group different categories to make it easier to configure and monitor all Brokers, Network Decoders, or Concentrators.
  • Group hosts that are part of the same data flow; for example, a Broker, and all associated Concentrators and Network Decoders.
  • Group hosts according to their geographic region and location within the region. If a major power outage occurs in a location, potentially affected hosts are easily identifiable.

Create a Group

  1. Select ADMIN > Hosts.
    The Hosts view is displayed.
  2. In the Groups panel toolbar, click The Add icon.
    A field for the new group opens with a blinking cursor.
    This is an example of a new group field.
  3. Type the name of the new group in the field (for example, Geo 1) and press Enter.
    The group is created as a folder in the tree. The number next to the group indicates the number of hosts in that group.
    This is an example of a new group.

Change the Name of a Group

  1. In the Hosts view Groups panel, double-click the group name, or select the group and click The Edit icon.
    The name field opens with a blinking cursor.
  2. Type the new name of the group and press Enter.
    The name field closes and the new group name is displayed in the tree.

Add a Host to a Group

In the Hosts view Hosts panel, select a host and drag the host to a group folder in the Groups panel.
The host is added to the group.

View the Hosts in a Group

To view the hosts in a group, click the group in the Groups panel.
The Hosts panel lists the hosts in that group.

Remove a Host from a Group 

  1. In the Hosts view Groups panel, select the group that contains the host that you want to remove.
    The hosts in that group appear in the Hosts panel.
  2. In the Hosts panel, select one or more hosts that you want to remove from the group, and in the toolbar, select The Delete icon > Remove from Group.
    The selected hosts are removed from the group, but are not removed from the NetWitness Platform user interface. The number of hosts in the group, which is listed near the group name, decreases by the number of hosts removed from the group. The All group contains the hosts that were removed from the group.
    In the following example, the host group called Geo 1 does not contain any hosts, because all the hosts in that group are removed.
    This is an example of the Groups panel

Delete a Group 

  1. In the Hosts view Groups panel, select the group that you want to delete. 
  2. Click The Delete icon.
    The selected group is removed from the Groups panel. The hosts that were in the group are not removed from the NetWitness Platform user interface. The All group contains the hosts from the deleted group. 

Search for Hosts

You can search for hosts from a list of hosts in the Hosts view. The Hosts view enables you quickly filter the list of hosts by Name and Host. It is possible to have numerous NetWitness Platform hosts in use for various purposes. Instead of scrolling through the host list, you can quickly filter the host list to locate the hosts that you want to administer.

In the Services view, you can search for a service and quickly find the host that runs that service.

Search for a Host

  1. Select ADMIN > Hosts.
  2. In the Hosts panel toolbar, type a host Name or Hostname in the Filter field.
    This is the unfilled Filter field.
    The Hosts panel lists the hosts that match the names entered in the Filter field.

Find the Host that Runs a Service

  1. Select ADMIN > Services.
  2. In the Services view, select a service. The associated host is listed in the Host column for that service.
  3. To administer the host in the Hosts view, click the link in the Host column for that service.
    The host associated with the selected service is displayed in the Hosts view.
    Example of host associated with NW Server

Execute a Task From the Host Task List

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View > System.

    Note: The Admin, Config, Orchestration, Security, Investigate, and Respond services do have access to the System view. They only have access to the Explore view.

    The System view for the service is displayed below.

    Example of the System view for a Broker service

  3. In the Services System view toolbar, click Host Tasks.
    This is an example of the Host Task List dialog.
  4. In the Host Task List dialog, click in the Task field to display a drop-down list of tasks that run on a host.
    This is an example of the Task drop-down menu in the Host Task List dialog.
  5. Select a task (for example, click Stop Service).
    The task is displayed in the Task field. Task description, example arguments, security roles, and parameters are displayed in the Info area.
    This is an example of the Host Task List dialog Stop Service task
  6. Type arguments if necessary and click Run.
    The command executes and the result is displayed in the Output section.

Add and Delete a Filesystem Monitor

When you want a service to monitor traffic on a specific file system, you can select the service and then specify the path. NetWitness Platform adds a filesystem monitor. Once a file system monitor is added to a service, the service continues to monitor traffic on that path until the file system monitor is deleted.

Configure the Filesystem Monitor

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Add Filesystem Monitor.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. To identify the file system to monitor, type the path in the Arguments field. For example:
    path=/var/netwitness/decoder/packetdb
    This is an example of the Host Task List Add Filesystem Monitor task
  6. Click Run.
    The result is displayed in the Output area. The service begins to monitor the file system and continues to monitor it until you delete the filesystem monitor.

Delete a Filesystem Monitor

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Delete Filesystem Monitor.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. To identify the filesystem to stop monitoring, type the path in the Arguments field. For example:
    path=/var/netwitness/decoder/packetdb
    This is an example of the Host Task List dialog Delete Filesystem Monitor task
  6. Click Run.
    The result is displayed in the Output area. The service stops monitoring the file system.

Reboot a Host

Under certain conditions, you must reboot a host; for example, after installing a software upgrade. This procedure uses a Host Task List message to shut down and restart a host. 

NetWitness Platform also offers other options for shutting down a host:

Shut Down and Restart a Host from the Hosts View

  1. Select ADMIN > Hosts.
  2. In the Hosts panel, select a host.
  3. Select The Reboot Host icon from the toolbar.

Shut Down and Restart a Host from the Host Task List

  1. Select ADMIN > Services.
  2. In the Services panel, select a service and click The Actions icon > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Reboot Host in the Task field.
    No arguments are required.
    This is an example of the Host Task List dialog Reboot Host task
  5. Click Run.
    The host is rebooted and the result is displayed in the Output area.

Set Host Built-In Clock

After a shutdown or battery failure, it may be necessary to set the local clock on a host. The Set Host Built-In Clock task resets the clock time.

Set the Time on the Local Clock

  1. Select ADMIN > Services.
  2. In the Services list, select a service and The Actions icon > View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Host Built-In Clock.
    Help for the task is displayed in the Info area.
  5. Enter the date and time arguments in the Arguments field.
    For example, to specify October 31, 2017 at 11:59:59 PM, type:
    set=20171031T235959
    This is an example of the Host Task List dialog Set Host Built-In Clock task
  6. Click Run.
    The clock is set to the specified time and a message is displayed in the Output area.

Set Network Time Source

When setting the clock source for a host, set the hostname or address of an Network Time Protocol (NTP) server to be the network clock source for the host. If the host is using a local clock source, you must specify local here to allow Set the Local Clock Source to be effective.

Specify the Network Clock Source

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions menu > View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Network Time Source.
    This is an example of the Host Task List dialog Set Network Time Source task
  5. Do one of the following:
  • Type the hostname or address of the NTP server to serve as the clock source for this host; for example: source=tictoc.localdomain
  • If you want to use the host clock as a clock source, type:
    source=local
  1. Click Run.
    The clock source is set and a message is displayed in the Output area.

Note: If you specified a NTP clock source of local, the host clock serves as the clock source and the time is configured using Set Host Built-In Clock.

Set SNMP

The Set SNMP task in the Host Task List enables or disables the SNMP service on a host. For a host to receive SNMP notifications, enable the SNMP service. If you are not using SNMP for NetWitness Platform notifications, it is not necessary to enable the service.

Toggle SNMP Service on the Host

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select setSNMP.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. Do one of the following:
  • If you want to disable the service, type enable=0 in the Arguments field.
    This is an example of the Host Task List dialog set SNMP task service disabled
  • If you want to enable the service, type enable=1 in the Arguments field.
    This is an example of the Host Task List dialog set SNMP task service enabled
  1. Click Run.
    The result is displayed in the Output area.

Set Syslog Forwarding

You can configure Syslog forwarding to forward the operating system logs of your NetWitness Platform Hosts to a remote syslog server. You can use the Set Syslog Forwarding task in the Host Task List to enable or disable syslog forwarding.

Set Up and Start Syslog Forwarding

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Syslog Forwarding.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
    This is an example of the the Host Task List dialog Set Syslog Forwarding task
  5. In the Arguments field, do any one of the following.
    • To enable syslog forwarding, specify any one of the following formats:

      host=<loghost>.<localdomain> (for example, host=syslogserver.local).

      host=<loghost>.<localdomain>:<port> (for example, host=syslogserver.local:514).

      host=<IP> (for example, host=10.31.244.244).

      host=<IP>:<port> (for example, host=10.31.244.244:514).

      The following table lists the parameters used to enable syslog forwarding.

      ParameterDescription
      loghostThe host name of the remote syslog server.
      localdomainThe domain of the remote syslog server.
      portIP address of the remote syslog server.
      IPThe port number on which the remote syslog server receives a syslog messages.
    • To disable syslog forwarding, type host=disable.
  6. Click Run.
    The result is displayed in the Output area.

Once syslog forwarding is enabled or disabled, the /etc/rsyslog.conf file is updated automatically to enable or disable syslog forwarding to the remote syslog destination and the syslog service is restarted.

If you enable syslog forwarding, the logs from the configured service are forwarded to the defined syslog server and continues forwarding until disabled.

Note: You can now log in to the remote syslog server and verify if the messages are being received from the NetWitness Platform services configured for syslog forwarding.

Show Network Port Status

The Show Network Port Status task in the Host Task List gives you the status of all configured ports on the host.

Display the Network Port Status

  1. Select ADMIN > Services.
  2. In the Services list, select a service and The Actions icon > View> System.
    The System view for the selected service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, click Show Network Port Status
    The task is displayed in the Task field, and information about the task is displayed in the Info area.
  5. No arguments are required for this task. Click Run.
    The status for each port on the host is displayed in the Output area.
    This is an example of the Host Task List dialog Show Network Port Status task

Show Serial Number

The Show Serial Number task in the Host Task List displays the serial number of a host.

Show the Serial Number

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Show Serial Number.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. No arguments are required for this task. Click Run.
    The serial number of the selected host is displayed in the Output area.
    This is an example of the Host Task List dialog Show Serial Number task

Shut Down Host

Under certain circumstances (for example, a hardware upgrade or an extended power outage that exceeds backup power capacity), it may be necessary to shut down a physical host. When you shut down a host, all services running on the host are stopped and the physical host turns off.

The physical host does not restart automatically. Use the power switch to restart the host. Once the physical host restarts, the host and services are configured to restart automatically.

See Reboot a Host for how to start and stop a host without shutting down the host.

Shut Down the Host

  1. In the Host Task List, select Shut Down Host.
    This is an example of the Host Task List dialog Shut Down Host task
  2. To execute the task, click Run.
    The host shuts down, and the host turns off. 

Stop and Start a Service on a Host

The Host Task List has two options for stopping and starting a service on a host. When you stop a service using the Stop Service message, all processes of the service are stopped and users connecting to the service are disconnected. Unless there is a problem with the service, it restarts automatically. This is the same as the Shutdown Service option in the Services System view.

If a service does not restart automatically after being stopped, you can restart it manually using the Start Service message.

Stop a Service on a Host

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Stop Service.
    The task is displayed in the Task field, and information about the task is displayed in the Info area.
  5. Specify the service (decoder, concentrator, broker, logdecoder, logcollector) to stop in the Arguments field; for example, service=decoder.
    This is an example of the Host Task List dialog Stop Service task
  6. To execute the task, click Run.
    The service stops and the status is displayed in the Output area. All processes of the service are stopped and users connecting to the service are disconnected. Unless there is a problem with the service, it restarts automatically.

Start a Service on a Host

  1. Select ADMIN > Services.
  2. In the Services list, select a service and click The Actions icon > View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Start Service.
    The task is displayed in the Task field, and information about the task is displayed in the Info area.
  5. Specify the service (decoder, concentrator, broker, logdecoder, logcollector) to stop in the Arguments field; for example, service=decoder.
    This is an example of the Host Task List dialog Start Service task
  6. To execute the task, click Run.
    The service starts and the status is displayed on the Output area.

Add, Replicate, or Delete a Service User

You must add a user to a service for:

  • Aggregation
  • Accessing the service with the:
    • Thick client
    • REST API

Note: This topic does not apply to users who access services through the user interface on NetWitness Server. You must add those users to the system, not a service. For details, see the "Set Up a User" in System Security and User Management Guide.

For each service user, you can:

  • Configure user authentication and query handling properties for the service
  • Make the user a member of a role, which has a set of permissions the user receives
  • Replicate the user account to other services
  • Change the service user password on selected services

Change a Service User Password provides instructions for changing the service user password across services.

To navigate to the Services Security view:

  1. In NetWitness Platform, go to ADMIN > Services.
  2. Select a service, then click The Actions drop-down menu > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
    This is an example of a Concentrator Security view.

Add a Service User

  1. On the Users tab, click The Add icon.
  2. Type the user name to access the service, then press Enter.
    The User Information section displays the user name and the rest of the fields are available for editing.
  3. Type the password for logging on to the service in the Password and Confirm Password fields.
  4. (Optional) Provide additional information:
  • Name for logging on to NetWitness Platform
  • Email address
  • Description of the user
  1. In the User Settings section, select the following information: 
  • Authentication Type
    • If NetWitness Platform authenticates the user, select NetWitness.
    • If Active Directory or PAM is configured on NetWitness Server to authenticate the user, select External.
  • Core Query Timeout is the maximum number of minutes a user can run a query on the service. This field applies to NetWitness Platform 10.5 and later service versions and does not appear for 10.4 and earlier versions.
  1. (Optional) Specify additional query criteria:
  • Query Prefix filters queries. Type a prefix to restrict results the user sees.
  • Session Threshold controls how the service scans meta values to determine session counts. Any meta value with a session count that is above the threshold stops its determination of the true session count.
  1. In the Role Membership section, select each role to assign to the user. When a user is a member of a role on a service, the user has the permissions assigned to the role.
  2. To activate the new service user, click Apply.

Replicate a User to Other Services

Note: The admin user cannot be replicated to other services.

  1. In the Users tab, select a user and click The Action drop-down menu > Replicate.
    The Replicate Users to Other Services dialog is displayed.
    This is an example of the Replicate User to Other Services dialog
  2. Enter and confirm the password.
  3. Select each service to which you are replicating the user.
  4. Click Replicate.

Delete a Service User

  1. On the Users tab, select the Username and click The delete icon.
    NetWitness Platform requests confirmation that you want to delete the selected user.
  2. To confirm, click Yes.

Add a User Role to a Service

There are pre-configured roles in NetWitness Platform that are installed on the server and on each service. You can also add custom roles. The following table lists the pre-configured user roles and their permissions.

                                   
RolePermission
AdministratorsFull system access
OperatorsAccess to configurations but not to metadata and session content
AnalystsAccess to metadata and session content but not to configurations
SOC_ManagersSame access as Analysts and additional permissions to handle incidents
Malware_AnalystsAccess to malware events and to metadata and session content
Data_Privacy_OfficersAccess to metadata and session content and configuration options that manage obfuscation and viewing of sensitive data within the system (see Data Privacy Management Guide).

You must add a service role when you have added a:

  • Service user or users that requires a new set of permissions.
  • Custom role on NetWitness Server because trusted connections require that the same custom role exists both on the server and on each service the custom role will access. The names must be identical. For example, if you add a Junior Analysts role on the server then you must add a Junior Analysts role on each service the role will access. For more information, see "Add a Role and Assign Permissions" in the System Security and User Management Guide.

There is also a pre-configured Aggregation service role. Services Security View - Aggregation Role and Services Security View - Service User Roles and Permissions provide additional information.

To add a service user role and assign permissions to it:

  1. In NetWitness Platform, go to ADMIN > Services.
  2. Select a service, then The Actions drop-down menu > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
  3. Select the Roles tab and click The Add icon.
    The Services Security view is displayed and five pre-configured roles are already listed. 
    This is an example of the Roles tab.
  4. Click The add icon, type the Role Name and press Enter.
    The Role Name is displayed above a list of Role Permissions.
  5. Select each permission the role will have on the service. 
  6. Click Apply.

You can add service users to the role in the Users tab.

Change a Service User Password

This procedure allows administrators to change the password of a service user and replicate the new password to all Core services with that user account defined. It replicates only the password change to the Core services selected and does not replicate the entire user account. Administrators can also change the password of the admin account on the Core services.

Note: The Change Password option does not apply to external users.

To change the password of a service user:

  1. In NetWitness Platform, go to ADMIN > Services.
    The Admin Services view is displayed.
  2. Select a service, then click The actions drop-down menu > View > Security.
    The Security view for the selected services is displayed.
  3. In the Users tab, select a user and select Change Password from The actions icon.
    The Change Password dialog is displayed.
    This is an example of the Change Password dialog.
  4. Type a new password for the user and confirm the password.
  5. Select the services where you want the user password to change. 
  6. Click Change Password.
    The status of the password change on the selected services is displayed.

IMPORTANT: If you change the admin password on a NetWitness service that is used as a Reporting Engine data source, you must remove and then re-add the service as a data source. For details, see "Configure the Data Sources" topic in the Reporting Engine Configuration Guide for RSA NetWitness Platform 11.x Guide.

Create and Manage Service Groups

The Admin Services view provides options to create and manage groups of services. The Services list toolbar includes options to create, edit, and delete service groups. Once groups are created, you can drag individual services from the Services panel into a group.

Groups may reflect functional, geographical, project-oriented, or any other organization principle that is useful. A service may belong to more than one group. Here are some examples of possible groupings.

  • Group different service types to make it easier to configure and monitor all Brokers, Network Decoders, or Concentrators.
  • Group services that are part of the same data flow; for example, a Broker, and all associated Concentrators and Network Decoders.
  • Group services according to their geographic region and location within the region. If a major power outage occurs in a location, potentially affected services are easily identifiable.

Create a Group

  1. In NetWitness Platform, go to ADMIN > Services.
    The Admin Services view is displayed.
  2. In the Groups panel toolbar, click The Add icon.
    A field for the new group opens with a blinking cursor.
    This is the Groups panel with a new, unnamed group
  3. Type the name of the new group in the field (for example, A New Group) and press Enter.
    The group is created as a folder in the tree. The number next to the group indicates the number of services in that group.
    This is the Groups panel with the new group added

Change the Name of a Group

  1. In the Services view Groups panel, double-click the group name or select the group and click The edit icon. The name field opens with a blinking cursor.
  2. Type the new name of the group and press Enter.
    The name field closes and the new group name is displayed in the tree.

Add a Service to a Group

In the Services view Services panel, select a service and drag the service to a group folder in the groups panel.
The service is added to the group.

View the Services in a Group

To view the services in a group, click the group in the Groups panel.

The Services panel lists the services in that group.

Remove a Service from a Group 

  1. In the Services view Groups panel, select the group that contains the service that you want to remove. The services in that group appear in the Services panel.
  2. In the Services panel, select one or more services that you want to remove from the group, and in the toolbar, select The Delete icon > Remove from Group.
    The selected services are removed from the group, but are not removed from the NetWitness Platform user interface. The number of services in the group, which is listed near the group name, decreases by the number of services removed from the group. The All group contains the services that are removed from the group.
    In the following example, the service group called A New Group does not contain any services, because the service in that group is removed.
    This is an example of a group without services

Delete a Group

  1. In the Services view Groups panel, select the group that you want to delete. 
  2. Click The delete icon.
    The selected group is removed from the Groups panel. The services that were in the group are not removed from the NetWitness Platform user interface. The All group contains the services from the deleted group.

Duplicate or Replicate a Service Role

An efficient way to add a new service role is to duplicate a similar role, save it with a new name and revise the permissions that are already assigned. For example, you could duplicate the Analysts role. Then, save it as JuniorAnalysts and modify the permissions.

The quick way to add an existing role to other services is to replicate the role. For example, you could replicate the JuniorAnalysts role that exists on a Broker to a Concentrator and Log Decoder.

To navigate to the Services Security view:

  1. In NetWitness Platform, go to ADMIN > Services.
  2. Select a service, then click The Actions icon > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
  3. Select the Roles tab.

Duplicate a Service Role

  1. In the Roles tab, select the role you want to duplicate.
    This is an example of the Roles tab.
  2. Click The Duplicate icon > Duplicate Role.
  3. Type a new name and click Apply.
  4. Select the new role.
  5. In the Role Permissions section, select or deselect permissions to modify what the new role can do.

Replicate a Role

  1. In the Roles tab, select the role you want to replicate and click Replicate.
  2. In the Replicate Role to Other Services dialog, select each service on which to add the role.
  3. Click Replicate.

Edit Core Service Configuration Files

The service configuration files for Network Decoder, Log Decoder, Broker, Concentrator, Archiver, and Workbench services are editable as text files. In the Services Config view > Files tab, you can:

  • View and edit a service configuration file that the NetWitness Platform system is currently using.
  • Retrieve and restore the latest backup of the file you are editing.
  • Push the open file to other services.
  • Save changes made to a file.

The files available to edit vary depending upon the type of service being configured. The files that are common to all Core services are the:

  • The NetWitness file (netwitness). This is preconfigured and does not require editing.
  • The service index file (index-<service>). This is preconfigured and may require editing.
    See Edit a Service Index File for more information.
  • The scheduler file (scheduler). The scheduler service is optional and requires editing.
    See Configure the Task Scheduler for more information.
  • The crash reporter file (crashreporter). The crash reporter service is optional and requires editing.
    See Enable the Crash Reporter Service for more information.
  • The feed definitions file (feed-definitions). This file is optional and may require editing.
    See "Feed Definitions File" in the Decoder Configuration Guide for more information.

In addition, the Network Decoder has files that configure parsers, feed definitions, and a wireless LAN adapter. There is also the table mapping file provided by RSA, table-map.xml, which is an important part of the Log Decoder.

Note: The default values in these configuration files are good for the most common situations, however some editing is necessary for optional services, such as the crash reporter or scheduler. Only administrators with a good understanding of the networks and the factors that affect the way services collect and parse data should make changes to these files in the Files tab.

Edit a Service Configuration File

To edit a file:

  1. In NetWitness Platform, go to ADMIN > Services.
  2. In the Services list, select a service.
  3. Select The actions drop-down menu > View > Config.
    The Service Config view is displayed with the General tab open.
  4. Click the Files tab.
    cThe selected service, such as Concentrator, appears in the drop-down list on the right.
  5. (Optional) To edit a file for the host instead of the service, select Host in the drop-down list.
  6. Choose a file from the Please Select A File To Edit drop-down list.
    The file content is displayed in edit mode.
    Editable Files tab in Config view
  7. Edit the file and click Apply.

The current file is overwritten and a backup file is created. The changes go into effect after the service is restarted.

Revert to a Backup Version of a Service Configuration File

After you make changes to a configuration file, save the file, and restart the service, a backup file is available.

To revert to a backup of a configuration file: 

  1. Select a configuration file by completing steps 1-6 of Edit a Service Configuration File.
  2. Click Get Backup.
    The backup file opens in the text editor.
  3. To revert to the backup version, click Save.

The changes go into effect after the service is restarted.

Push a Configuration File to Other Services

Once you have edited a service configuration file, you can push the same configuration to other services of the same type. 

  1. Select a configuration file by completing steps 1-6 of Edit a Service Configuration File.
  2. Click The Push icon
    The Select Services dialog is displayed.
  3. Select each service to push the configuration file on it. Each service must be the same type as the one you selected in the Services view.

    Caution: If you decide not to push the configuration file, click Cancel.

  4. To push the configuration file to all selected services, click OK.

The configuration file is pushed to all selected services. 

Edit a Service Index File

This topic provides important information and guidelines for configuring service custom index files, which are editable in the Service Config view > Files tab.

The index file, along with other configuration files, controls operation of each core service. Accessing the index file through the  Service Config view in NetWitness Platform opens the file in a text editor, where you can edit the file.

Note: Only administrators with a thorough and comprehensive understanding of Core service configuration are qualified to make changes to an index file, which is one of the central configuration files for the appliance service. Changes made should be consistent across all Core services. Invalid entries or a misconfigured file can prevent the system from starting and can require the assistance of RSA Support to bring the system back into a working state.

These are the index files: 

  • index-broker.xml, and index-brokercustom.xml
  • index-concentrator.xml, and index-concentrator‐custom.xml
  • index-decoder.xml, and index-decodercustom.xml
  • index-logdecoder.xml, and index-logdecodercustom.xml
  • index-archiver.xml, and index-archiver‐custom.xml
  • index-workbench.xml, and index-workbench‐custom.xml

Index and Custom Index Files

All customer-specific index changes are made in index-<service>-custom.xml. This file overrides any settings in index-<service>.xml, which is solely controlled by RSA. 

The custom index file, index-<service>‐custom.xml, allows creation of custom definitions or overrides of your own language keys that are not overwritten during the upgrade process.

  • Keys that are defined in index-<service>‐custom.xml replace the definitions found in index-<service>.xml.
  • Keys that are added to index-<service>custom.xml and not found in index‐<service>.xml are added to the language as a new key.

Some common applications for editing the index file are:

  • To add new custom meta keys to add new fields to the NetWitness Platform user interface.
  • To configure protected meta keys as part of a data privacy solution as described in the Data Privacy Management Guide.
  • To adjust the NetWitness Platform Core database query performance as described in the NetWitness Platform Core Database Tuning Guide.

Caution: Never set the index level to IndexKeys or IndexValues on a Network Decoder if you have a Concentrator or Archiver aggregating from the Network Decoder. The index partition size is too small to support any indexing beyond the default time meta key.

Configure the Task Scheduler

Scheduler File

You can edit the scheduler file that in the Service Config view > Files tab. This file configures the built-in task scheduler for a service. The task scheduler can automatically send messages at predefined intervals or specific times of the day.

Scheduler Task Syntax

A task line in the scheduler file consists of the following syntax, where <Value> has no spaces:

<ParamName>=<Value>

If <Value> has any spaces, this is the syntax:

<ParamName>="<Value>"

In each task line, these guidelines apply:

  • Parameter time or one of the interval parameters (secondsminutes or hours) is required.
  • Escape special characters with a \ (backslash).

Task Line Parameters

The following task line parameters are accepted by the scheduler.

                                                       
SyntaxDescription
daysOfWeek: <string, optional, {enum-any:sun|mon|tue|wed|thu|fri|sat|all}> The days of week to execute a task. The default value is all.
deleteOnFinish: <bool, optional> Delete the task when it has successfully finished.
hours: <uint32, optional, {range:1 to 8760}> The number of hours between executions.
logOutput: <string, optional> Output the response to log using the specified module name.
minutes: <uint32, optional, {range:1 to 525948}> The number of minutes between executions.
msg: <string> The message to send the node.
params: <string, optional> The parameters for the message.
pathname: <string> The path of the node that receives the message.
seconds: <uint32, optional, {range:1 to 31556926}> The number of seconds between executions.
time: <string> The time of execution in HH::MM:SS format (local time of this server).
timesToRun: <uint32, optional> How many times to run because service start, 0 = unlimited (default).

Messages

The following are the message strings to use in the Task Scheduler msg parameter.

                                 
MessageDescription
addInter Add a task to run at a defined interval. For example, this message runs the /index save command every 6 hours:
addInter hours=6 pathname=/index msg=save
addMil
 
Add a task to run at a specific time of day or even day(s) of the week. For example, this message runs the /index save command at 1 AM every business day:
addMil time= 01:00:00 pathname=/index
msg=save daysOfWeek=mon,tue,wed,thu,fri
delSched Deletes an existing scheduled task. The id parameter of the task must be retrieved from the print message.
print Prints all scheduled tasks.
replace Assign all scheduled tasks in one message, deleting any existing tasks.
save Save node.

Sample Task Line

The  following example task line in the scheduler file downloads the feeds package file (feeds.zip) to the selected Network Decoder every 120 minutes from the feeds host server:
minutes=120 pathname=/parsers msg=feed params="type\=wget file\=http://feedshost/nwlive/feeds.zip"

Enable the Crash Reporter Service

The Crash Reporter is an optional service for NetWitness Platform services. When activated for any of the Core services, the Crash Reporter automatically generates a package of information to be used for diagnosing and solving the problem that resulted in the service failure. The package is automatically sent to RSA for analysis. The results are forwarded to RSA Support for any further action.

The information package sent to RSA does not contain captured data. This information package consists of the following information:

  • Stack trace
  • Logs
  • Configuration settings
  • Software version
  • CPU information
  • Installed RPMs
  • Disk geometry

The Crash Reporter crash analysis can be activated for any Core product. 

The crashreporter.cfg File

One of the files available for editing in the Service Config view > Files tab is crashreporter.cfg, the Crash Reporter Client Server configuration file.

This file is used by the script that checks, updates, and builds crash reports on the host. The list of products to monitor can include Network Decoders, Concentrators, Brokers, and hosts.

This table lists the settings for the crashreporter.cfg file.

                                                                                                           
SettingDescription
applicationlist=decoder, concentrator, host Define the list of products to monitor.
sitedir=/var/crashreporter Location of the site directory for the report.
webdir=/usr/share/crashreporter/Web Location of the web directory.
devdir=/var/crashreporter/Dev Location of the development directory.
datadir=/var/crashreporter/data Location of the directory storing data files.
perldir=/usr/share/crashreporter/perl Location of the Perl files.
bindir=/usr/share/crashreporter/bin Location of the binary executables.
libdir=/usr/share/crashreporter/lib Location of the binary libraries.
cfgdir=/etc/crashreporter Location of the configuration files.
logdir=/var/log/crashreporter Location of the log files.
scriptdir=/usr/share/crashreporter/scripts Location of the directory containing scripts.
workdir=/var/crashreporter/work Location of the process work directory.
sqldir=/var/crashreporter/sql Location where created SQL files are placed.
reportdir=/var/crashreporter/reports Location where temporary reports are created.
packagedir=/var/crashreporter/packages Location of the created package files.
gdbconfig=/etc/crashreporter/crashreporter.gdb Location of the gdb configuration file.
corewaittime=30 Define the number of seconds to wait after finding a core to determine if the core is still being written.
cyclewaittime=10 Define the number of minutes to wait between search cycles
deletecores=1

Specify if the Core files should be deleted after report.
0 = No
1 = Yes

Note: Until the Core file is deleted, it is reported each time crashreporter is restarted.

deletereportdir=1

Specify if the report directory should be deleted after the report. Useful to view ore reports on box.
0 = No
1 = Yes

Note: If not deleted, the directory will be included in each subsequent package.

debug=1 Specify whether debugging messages are turned on or off in the crashreporter logging output.
0 = No
1 = Yes
posturl=https://www.netwitnesslive.com/
crash...ter/submit.php
Define the webserver post URL.
postpackages=0 Specify if the packages should be posted to the webserver.
0 = No
1 = Yes
deletepackages=1 Specify if packages should be deleted after they are posted to webserver.
0 = No
1 = Yes

Configure the Crash Reporter Service

To configure the Crash Reporter service:

  1. Select ADMIN > Services.
  2. Select a service and click The Actions icon > View > Config.
  3. Select the Files tab.
  4. Edit crashreporter.cfg.
  5. Click Save.
  6. To display the Service System view, select Config > System.
  7. To restart the service, click The shutdown service icon.
    The service shuts down and restarts.

Start and Stop the Crash Reporter Service

To start the Crash Reporter Service:

  1. Select ADMIN > Services.
  2. Select a service and click The Actions icon > View > System.
  1. In the toolbar, click Host Tasks.
    The Host Task List is displayed.
  2. In the Task drop-down list, select Start Service.
  3. In the Arguments field, type crashreporter, then click Run
    This is an example of the Host Task List dialog for this procedure.

The Crash Reporter service is activated and remains active until you stop it.

To stop the Crash Reporter service, select Stop Service from the Task drop-down list.

Maintain the Table Map Files

The table mapping file provided by RSA, table-map.xml, is a very important part of the Log Decoder. It is a meta definition file which also maps the keys used in a log parser to the keys in the metadb

Note: Do not edit the table-map.xml file. If you want to make changes to the table-map, make them in the table-map-custom.xml file. The latest table-map.xml file is available on Live Services, which RSA updates as required. If you make changes to the table-map.xml file, they can be overwritten during a content or service upgrade.

The table map and custom table map files have two purposes:

  • To translate the variables used in the Log Parsers to NetWitness meta key names
  • To tell the system which keys to move onto the Concentrator.

For example, look at the out-of-the-box Palo Alto log parser, and examine one of its meta keys: stransaddr. This key represents the source translated address. If we look in the table-map.xmlfile we can see that this variable is listed as Transient:

<mapping envisionName="stransaddr" nwName="stransaddr" flags="Transient" format="Text" />

Because this variable is listed as, Transient, it never moved to the Concentrator. In fact, if you look at all the metadata that we parse from that log in the Concentrator, it is not listed as an available key.

Assume we change the value in the table-map-custom.xmlfile to the following:

<mapping envisionName="stransaddr" nwName="stransaddr" flags="None" format="Text" />

In this case, the key-value pair would get copied to the Concentrator, and from there you can choose whether or not to index it.

In thetable-map.xmlfile, some meta keys are set to Transient and some are set to None. To store and index a specific meta key, the key must be set to None. To make changes to the mapping, you need to create a copy of the file named table-map-custom.xml on the Log Decoder and set the meta keys to None.

For meta key indexing:

  • When a key is marked as None in the table-map.xml file in the Log Decoder, it is indexed.
  • When a key is marked as Transient in the table-map.xml file in the Log Decoder, it is not indexed. To index the key, copy the entry to the table-map-custom.xml file and change the keyword flags="Transient" to flags="None".
  • If a key does not exist in the table-map.xmlfile, add an entry to the table-map-custom.xmlfile in the Log Decoder.

IMPORTANT: Do not update the table-map.xml file because an upgrade can overwrite it. Add all of the changes that you want to make to the table-map-custom.xmlfile.

Prerequisites

If you do not have a table-map-custom.xml file on the Log Decoder, create a copy of table-map.xml and rename it to table-map-custom.xml.

To verify and update the table mapping file:

  1. Go to ADMINServices.
  2. In the Services list, select a Log Decoder and click The Actions icon > View > Config.
  3. Click the Files tab and select the table-map.xml file.
    This is an example of the Files tab with the relevant line highlighted.
  4. Verify that the flags keywords are set correctly to either Transient or None.
  5. If you need to change an entry, do not change the table-map.xml file. Instead, copy the entry, select the table-map-custom.xml file, find the entry in the table-map-custom.xml file and change the flags keyword from Transient to None.
    For example, the following entry for the hardware.id meta key in the table-map.xml file is not indexed and the flags keyword shows as Transient:
    <mapping envisionName="hardware_id" nwName="hardware.id" flags="Transient"/>
    To index the hardware.id meta key, change the flags keyword from Transient to None in the table-map-custom.xml file:
    <mapping envisionName="hardware_id" nwName="hardware.id" flags="None"/>
  6. If an entry does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file.
  7. After making your changes to the table-map-custom.xml file, click Apply.

Caution: Before changing the table mapping files, carefully consider the effect of changing the index from Transient to None because it can impact the available storage and performance of the Log Decoder. For this reason, only certain meta keys are indexed out-of-the-box. Use the table-map-custom.xml file for different use cases.

Edit or Delete a Service

You can edit service settings, such as changing the host name or port number, or deleting a service that you no longer need.

Each of the following procedures starts in the Services view.

To navigate to the Services view, in NetWitness Platform, go to ADMIN > Services.

This is the Services view.

Edit a Service

  1. In the Services view, select a service and either click The Edit icon or The Actions drop-down menu > Edit.
    The Edit Service dialog is displayed. It shows only the fields that apply to the selected service.
    This is the Edit Service dialog
  2. Edit the service details by changing any of the following fields:
    • Name
    • Port - Each Core service has two ports, SSL and non-SSL.
    • SSL - For trusted connections, you must use SSL. 
    • Username and Password - Use these credentials to test the connection to a service.
      1. If you use a trusted connection, delete the username.
        If you do not use a trusted connection, type a username and password.
      2. Click Test Connection.
  3. Click Save.

Delete a Service

  1. In the Services view, select one or more services and either click The Delete icon or The actions drop-down menu > Delete.
  2. A dialog requests confirmation. To delete the service, click Yes.

The deleted service is no longer available to the NetWitness Platform modules. 

Explore and Edit Service Property Tree

You have advanced access and control of service functionality in the Services Explore view, which consists of two parts. The Node list displays service functionality in a tree structure of folders. The Monitor panel displays properties of the folder or file selected in the Nodes list.

Each of the following procedures starts in the Explore view.

To navigate to the Explore view:

  1. In NetWitness Platform, go to ADMIN > Services.
  2. Select a service, then select The Actions drop-down menu  > View > Explore.
    The Explore view is displayed. The Node list is on the left and the Monitor panel is on the right.
    This is an example of the Explore view

Display or Edit a Service Property

To display a service property:

  1. Right-click a file in the Node list or Monitor panel.
  2. Click Properties.

To edit the value of a service property:

  1. In the Monitor panel, select an editable property value.
  2. Type a new value. 

Send a Message to a Node

  1. In the Properties dialog, select a message type from the drop-down list. Options vary according to the file selected in the Node list.
    A description of the selected message type is displayed in the Message Help field.
  2. (Optional) If the message requires them, type the Parameters
  3. Click Send.
    The value or format is displayed in the Response Output field.

Terminate a Connection to a Service

You can view sessions that are running on a service in the Service System view. From within the list of sessions, you can terminate the session and the active queries in a session.

Terminate a Session on a Service

  1. In NetWitness Platform, go to ADMIN > Services.
    The Admin Services view is displayed.
  2. Select a service, and select The Actions icon   > View > System.
    The Services System view is displayed.

  3. In the Session Information list at the bottom, click a session number from the Session column.
    The confirmation dialog is displayed.
  4. Click Yes.

Terminate an Active Query in a Session

  1. Scroll down to the Sessions list.
  2. In the Active Queries column, click a non-zero count of active queries for a session. You cannot click on it if there are 0 active queries.
    The Active Queries dialog is displayed.
    This is an example of the Active Queries dialog
  3. Select a query and click Cancel Query.
    The query stops and the Active Queries column is updated.

Search for Services

You can search for services from the list of services in the Services view. The Services view enables you to quickly filter the list of services by Name, Host, and Service Type. You can use the Filter drop-down menu and the Filter field separately or at the same time to filter the Services view. 

Search for a Service

  1. In NetWitness Platform, go to ADMIN> Services.
  2. In the Services list toolbar, type a service Name, Host, or service Type in the Filter field.
    This is the Filter field.

    The Services panel lists the services that match the names entered in the Filter field. The following example shows the search results after starting to type log in the filter field.
    This is the Services panel with two results matching a search for log

Filter Services by Type

  1. In NetWitness Platform, go to ADMIN > Services.
  2. In the Services view, click The Filter icon and select the service types that you want to appear in the Services view.

Example of the Filter field drop down menu of services

The selected service types appear in the Services view. The following example shows the Services view filtered for Concentrator and Log Decoder.

This is the Services panel filtered for Concentrator and Network Decoder.

Find the Services on a Host

In addition to being able to locate the services for a host in the Services view, you can also quickly find the services that run on a host in the Hosts view. 

  1. In NetWitness Platform, go to ADMIN > Hosts.
  2. In the Hosts view, select a host and click the box that contains a number (the number of services) in the Services column.
    A list of the services on the selected host is displayed.

In the following example, a list of two services on the selected host are listed after clicking the box containing the number 2.
The is an example of the dialog that appears when you click the service count

  1. You can click the service links to view the services in the Services view.

Start, Stop, or Restart a Service

These procedures apply to Core services only.

Each of the following procedures starts in the Services view. In NetWitness Platform, go to ADMIN > Services.

Start a Service

  1. Select a service and click The Actions drop-down menu > Start.

Stop a Service

When you stop a service, all of its processes stop and active users are disconnected from it.

To stop a service:

  1. Select a service and click The Actions drop-down menu > Stop.
  2. A dialog requests confirmation. To stop the service, click Yes.

Restart a Service

Occasionally, you have to restart a service for changes to take effect. When you change a parameter that requires a restart, NetWitness Platform  displays a message.

To restart a service:

  1. Select a service and click The Actions drop-down menu > Restart.
  2. A dialog requests confirmation. To stop the service, click Yes.

The service stops, then restarts automatically.

View Service Details

You can view and edit information about services using options in the View menu for a service.
This is the service View menu

Purpose of Each Service View

Each view displays a functional piece of a service and is described in detail in its own section:

  • Services System View shows a summary of service, appliance service, service user, host user, and session information.
  • Services Stats View provides a way to monitor service operations and status. 
  • Services Config View is for configuring all aspects of a service. 
  • Services Explore View is for viewing and editing host and service configurations.
  • System Logging Panel shows service logs that you can search. 
  • Services Security View is a way to add NetWitness Platform Core user accounts for aggregation, thick client users, and REST API users.

Access a Service View

To access a view for a service:

  1. In NetWitness Platform, go to ADMIN > Services
  2. Select a service and click The Actions menu > View.

    The View menu is displayed.

    This is the View menu

  3. From the options on the left, select a view.

    Below is an example of the Services System view for a Broker.
    Example of the Services System view for a Broker

  4. Use the toolbar to navigate:

    Example of the change service toolbar for a Broker

    1. Click Change Service to select another service.
      The Administrate Service dialog is displayed.
    2. Select the checkbox to the left of the service that you want.
    3. Select the view that you want for the service you selected in the View drop-down list.

      This is the View drop-down list

      The new view (for example, Stats) is displayed for the service you selected.

Next Topic:References
You are here
Table of Contents > Hosts and Services Maintenance Procedures

Attachments

    Outcomes