Article Content
Article Number | 000026811 |
Applies To | RSA Product Set: Security Analytics, NetWitness Logs & Network SA Product/Service Type: Concentrator RSA Version/Condition: 10.x, 11.x O/S Version: EL6, EL7 |
Issue | How to extract NWD (NetWitness data) files from RSA Security Analytics. |
Resolution | NWD files are sometimes useful to Technical Support for troubleshooting. NWD files are pcap or log files which contain all parsers and meta information.
To extract NWD files from RSA Security Analytics, follow the steps below.
|
Notes | Once you open the session in the Investigator, this will be cached in the concentrator server in /var/netwitness/concentrator/cache Therefore you will have a file called sessionID.nwd (38642969.nwd in this example). Alternatively you can use an SFTP client (such us WinSCP) to download the sessionID.nwd file from the concentrator |
Legacy Article ID | a65964 |