Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Export Connector Install: Health and Wellness

Document created by RSA Information Design and Development Employee on Oct 15, 2020Last modified by RSA Information Design and Development Employee on Jan 13, 2021
Version 2Show Document
  • View in full screen mode

Health and Wellness

Note: This feature is available only from NetWitness Platform version 11.5 and later. For more information, see "Monitor New Health and Wellness" in System Maintenance Guide for RSA NetWitness Platform.

You can monitor the operational state of the Logstash service and details of sources configured in the New Health & Wellness tab available in NetWitness Platform user interface. The New Health & Wellness is built on Elastic and Kibana. The metrics from the Logstash instance is sent to the Elastic service and visualized using Kibana. The tab displays the Logstash service status and the NetWitness Export Connector sources in a dashboard view. The New Health & Wellness service is referred as Elastic host in this document.

The Logstash service sends metrics for every 30 seconds. These metrics are used to view the operational status of the Logstash service and the NetWitness Export Connector. There are two types of metrics that are available for monitoring the Logstash status.

  • Plugin metrics - For monitoring the NetWitness Export Connector status.
  • Host metrics - For monitoring Logstash service instance (appliance or Virtual Machine) health status such as IO stats, CPU, memory usage and others.

By default, the plugin metrics are available in Logstash. To collect the host metrics, you must install Metricbeat, a third party software used for collecting the host metrics. It is recommended to enable both the plugin metrics and host metrics to view all the dashlets in the dashboard.

Download and Install Dashboard.

You need to download and deploy the dashboards from live to view the Logstash service and the NetWitness Export Connector stats in Kibana. Do the following steps.

  1. Log in to NetWitness Platform UI.
  2. Click (Configure) > LIVE CONTENT.
  3. In the Search Criteria panel, select the Resource Types as:
    • Health and Wellness Dashboards
    • Health and Wellness Monitors
  4. Click Search.
  5. In the Matching Resources view, select the Logstash Input Plugin Overview dashboard to deploy.
  6. In the Matching Resources toolbar, click .
  7. In the Deployment Wizard > Resources tab, click Next.
  8. In the Services tab, select the Metrics Server service.
  9. Click Next.
  10. Click Deploy.
    The Deploy page is displayed. The Progress bar turns green when you have successfully deployed the resources to the selected services.
  11. Click Close.

For more information, see Advanced Configuration section in "Monitor New Heath and Wellness" topic in the System Maintenance Guide for RSA NetWitness Platform.

Create a User in New Health & Wellness (Kibana)

You must create user account in New Health & Wellness in NetWitness Platform (Kibana), to send Logstash metrics to New Health & Wellness in NetWitness Platform (Kibana). This user account is used in configuring the Logtstash plugin metrics and host metrics.

To create a user account in Kibana, do the following steps.

Note: This is applicable only for hosts or services that are not managed by NetWitness Platform.

  1. Go to (Admin) > HEALTH & WELLNESS > New Health & Wellness.
    New Heath & Wellness panel view is displayed.
  2. Click Pivot to Dashboard.
    Kibana Dashboard view is displayed in a new tab.
  3. Click the Security icon on the left.
    Kibana Security view is displayed.
  4. In the Authentication Backends section, click Internal User Database and click the icon to create new user.
  5. Enter the username and the password in the respective columns.
  6. In the Backend Roles section, click and add nwservice-role, and then click Submit.
    Username is displayed in the Internal Database section.
  7. Click the icon to go back to Kibana Security view.
  8. In the Permissions and Roles section, click Role Mappings and click nwservice-role to add the user name.
  9. Click and add newly created username, and then click Submit.

Enable the Logstash Plugin Metrics

To enable the Logstash plugin metrics, add the following parameters in the Logstash Configuration file (netwitness-<decoder-ip>-input.conf).

ParameterSettingParameter TypeDefault Value


Set the value to 'true' to enable the plugin metrics



elastic_hostEnter the IP address or hostname of the Elastic host or IP address of the New Health & Wellness serviceStringN/A
elastic_portEnter the port number of the Elastic host


elastic_usernameEnter the username that is used to access the Elastic host (user account created in Kibana, see Create a User in New Health & Wellness (Kibana))StringN/A
elastic_password Enter the password that is used to access the Elastic host



Enable the Logstash Host Metrics

Note: This is applicable only for hosts or services that are not orchestrated by NetWitness Platform.

To enable the Logstash host metrics, follow the below steps.

  1. Download Metricbeat software. For more information refer to Metricbeat.
    curl -L -O

  2. Install Metricbeat on the Logstash service by running the following command.
    sudo rpm -ivh metricbeat-oss-7.8.0-x86_64.rpm
  3. Disable the default collection of Logstash monitoring metrics in the configuration file logstash.yml by changing xpack.monitoring.enabled parameter to false.
    xpack.monitoring.enabled: false

Note: Generally, the x.pack.monitoring.enabled parameter is commented. Remove the (#) character to activate it.

  1. Enable the logstash-xpack module in Metricbeat to collect host status by running the following command.
    metricbeat modules enable logstash-xpack
  2. In /etc/metricbeat/modules.d/system.yml file, add the following lines at the last and save it.

    # Processors to parse process names of Netwitness Logstash Service.
    - module: system
      period: 1m
        - process
        - add_fields:
            fields: { "logstash-service"} # Adding process name to a new field
              system.process.cmdline: "logstash-core.jar" # Condition on which process name will be updated

Note: Use proper indentation while adding the lines. Refer an existing module in the system.yml file. If indentation is incorrect, the service may fail to start.

  1. Configure the monitoring data to send metrics to Metricbeat. Follow the below steps.
    1. Update the /etc/metricbeat/metricbeat.ymlfile.
      • Replace the content in 'Elasticsearch output' section in metricbeat.yml with the following lines.
            # Array of hosts to connect to.
          hosts: ["<ELASTIC_HOST>:9200"]
          index: "nw-logstash-metricbeats-%{+yyyy.MM.dd}"

          # Protocol - either `http` (default) or `https`.
          protocol: "https"
            enabled: false
            check_exists: false
          # Authentication credentials - either API key or username/password.
          username: "<ElASTIC_USERNAME>"
          password: "<ElASTIC_PASSWORD>"
          ssl.verification_mode: none

        setup.ilm.enabled: false
           enabled: false # Disabled so that metricbeat auto-creates the template everyday based on incoming metrics.
           name: "nw-logstash-metricbeats-%{+yyyy.MM.dd}"
           pattern: "nw-logstash-metricbeats-%{+yyyy.MM.dd}"
    2. Update the ELASTIC_HOST, ELASTIC_USERNAME and ELASTIC_PASSWORD details in metricbeat.yml file.
  1. Start the Metricbeat service by running the following command.
    sudo service metricbeat start

For more information visit the official documentation of Metricbeat.

Previous Topic:Configure SSL
You are here
Table of Contents > Configure NetWitness Export Connector > Health and Wellness