000026811 - How to extract NWD (NetWitness data) files from RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026811
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
SA Product/Service Type: Concentrator
RSA Version/Condition: 10.x, 11.x
O/S Version: EL6, EL7
IssueHow to extract NWD (NetWitness data) files from RSA Security Analytics.

NWD files are sometimes useful to Technical Support for troubleshooting. NWD files are pcap or log files which contain all parsers and meta information.


To extract NWD files from RSA Security Analytics, follow the steps below.

  1. From the Security Analytics UI, navigate to Investigation -> Navigate and select the concentrator in question.
  2. Identify the network or log event type for which you want to extract the NWD.

    For instance:

    User-added image


    User-added image

  3. As shown above, identify the session ID.

  4. Copy the following link into a browser: http://<concentratorIP>:50105/sdk/content?session=<session number>&&render=nwd
         Where concentratorIP is the IP address of the concentrator and session number is the session number you identify in the investigator module (in this example 38642969).

  5. Once you browse to the link above, you will be asked to insert the RSA Security Analytics admin credentials.

  6. Once you insert the credentials, a file called "Content" will be downloaded. Change the extension of the file to .nwd.  This will be the nwd file that you need and will contain all parsers and meta information.


Once you open the session in the Investigator, this will be cached  in the concentrator server in /var/netwitness/concentrator/cache

Therefore you will have a file called sessionID.nwd (38642969.nwd in this example). Alternatively you can use an SFTP client (such us WinSCP)  to download the sessionID.nwd file from the concentrator 

Legacy Article IDa65964