Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Export Connector Install: Configure NetWitness Export Connector

Document created by RSA Information Design and Development Employee on Oct 15, 2020
Version 1Show Document
  • View in full screen mode
 

Note: Make sure you open the firewall of the Decoder or Log Decoder to establish connection with the Logstash. For more information, see "Network Architecture and Ports" in Deployment Guide for RSA NetWitness Platform.

You must configure the Logstash configuration file to process the NetWitness Platform events. Create a Logstash configuration file and add the NetWitness Export Connector plugin parameter settings for event processing. Save the file as netwitness-<decoder-ip>-input.conf. After adding the NetWitness Export Connector plugin parameter settings, place the configuration file in /etc/logstash/conf.d/ location.

A Logstash configuration file can have three separate sections for each type of plugin that you want to add to the event processing pipeline. The first section is for Input plugin (NetWitness Export Connector), the second section is for Filter plugin (optional) and the third section is for Output plugin.

To configure the NetWitness Export Connector plugin, add the parameter settings in the first section the Logstash configuration file.

For multiple pipelines configuration, see Multiple Pipelines Configuration documentation.

The configuration of each NetWitness Export Connector plugin must consist of the plugin name followed by a block of parameter settings for that plugin. If the NetWitness Export Connector has multiple plugins with block of parameters, they are applied in the order of their appearance.

The following is an example of NetWitness Export Connector with one plugin instance with block of parameter settings which fetches data from a single decoder .

input {
netwitness {
host => "<host>" # Mandatory
username => “<username>" # Mandatory
password => "<password>" # Mandatory
decoder_type => "logdecoder" # Mandatory
}
}

The following is an example of NetWitness Export Connector with two plugin instances with block of parameter settings which fetches data from two different decoders. Each plugin in the configuration is applied in the order as shown.

input {
netwitness {
host => "<host>" # Mandatory
username => “<username>" # Mandatory
password => "<password>" # Mandatory
decoder_type => "logdecoder" # Mandatory
}
netwitness {
host => "<host>" # Mandatory
username => “<username>" # Mandatory
password => "<password>" # Mandatory
decoder_type => "logdecoder" # Mandatory
}
}

Following are the parameters accepted by NetWitness Export Connector.

                                                                                                                                                                           
ParameterDescriptionParameter TypeDefault Value
hostIP address or hostname of the Decoder or Log Decoder (mandatory)

String

N/A
usernameUsername used to access the Decoder or Log Decoder (mandatory)StringN/A
passwordPassword of the user (mandatory)

String

N/A
decoder_typeAccepts only 'decoder' or 'logdecoder' (mandatory)StringN/A
ssl_enableEnable SSL connection between the Decoders and the NetWitness Export Connector. For more information, see Configure SSL

Boolean

false
ssl_certificate_pathPath of the certificate that is used for trusted connections. Mandatory if SSL is enabledStringN/A
ssl_certificate_passwordPassword of the certificate in use. Mandatory if SSL is enabled

String

N/A
ssl_versionVersion of the SSL connectionStringTLSv1.2
plugin_metrics_enableEnables metrics reporting to Elastic (New Health and Wellness), for more information see Health and Wellness

Boolean

false
elastic_hostIP address or hostname of the Elastic host. Mandatory if plugin metrics is enabledStringN/A
elastic_portPort number of the Elastic host

String

9200
elastic_usernameThe username that is used to access the Elastic host. Mandatory if plugin metrics is enabledStringN/A
elastic_password The password that is used to access the Elastic host. Mandatory if plugin metrics is enabled

String

N/A
meta_includeAggregates only the meta keys that are added in this parameter setting. Accepts comma separated values (csv) formatStringnil
meta_excludeExcludes the meta keys that are added in this parameter setting from aggregation. Accepts comma separated values (csv) format

String

nil
start_sessionSession from which the aggregation starts. Setting the value to 0 starts the aggregation from last.session.id in the DecoderNumber0
export_logIncludes the raw log with the meta in the session (applicable only for Log Decoder aggregation)

Boolean

false
aggregate_sessionsNumber of sessions ingested in a batch from the DecodersNumber1000
aggregation_intervalTime interval (in milliseconds) between two event cycles

Number

1000

prefetch_count

Controls the number of batches to be pulled into the buffer that is available for the plugin to collect

Number

2

compressionThe number of bytes in each message before message is compressed. Setting the value to '0' does not allow compression. Ranges between 0 to 131071

Number

0
compression_levelThe level of compression. Ranges between 0 to 9 where 1 is fastest and 9 has the better compression. A value of 0 selects the best balance between speed and compressionNumber6
buffer_sizeControls the number of records that the stream in the buffer before it is ingested

Number

40000

position_tracking_path

Path where the last consumed session id is stored. Default storage location is /var/lib/logstash. For more information, see Position tracking and start session

String

/var/lib/logstash

custom_meta_config_pathPath to the custom multivalued meta configuration file. For more information, see Configuring Custom Multi-valued Meta

String

nil
QueryTakes any NetWitness Platform query as Input

Note: Only Indexed meta key must be the part of the query. For example, select * where device.type = 'rhlinux'

StringSelect *

Position tracking and start session

Position tracking or bookmarking is used to track the sessions that are aggregated by logstash and sent to the consumer. Position tracking initiates automatically and updates the tracking file every 60 seconds in the path mentioned in position_tracking_path parameter in the configuration file. The file consists of two parts [sessionid,timestamp]. Default location is /var/lib/logstash, if it is not mentioned in the configuration file.

The start_session parameter accepts a number (long: primitive datatype) and indicates which is the first sessionid the plugin should request from its corresponding source. if the start_session parameter is not mentioned in the configuration file or if the value is mentioned as 0, the first session requested by the plugin will be the last.session.id + 1, last_session_id as in the decoder's REST API /database/stats/last.seesion.id.

if the position tracking file exists for a source and start_session is not configured or the start_session is set as value 0, the plugin with initiate aggregation from the sessionid indicated in the position tracking file.

if the position tracking file exists for a source and the start_session is set as non-zero value, the start_session value will take precedence over the position tracking file. The plugin will request from the session mentioned in the start_session parameter onwards.

Next Topic:Configure SSL
You are here
Table of Contents > Configure NetWitness Export Connector

Attachments

    Outcomes