000026342 - How to configure NTP on an RSA Netwitness appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026342
Applies ToRSA NetWitness NextGen
RSA NetWitness Decoder
RSA NetWitness Log Decoder
RSA NetWitness Concentrator
RSA NetWitness Hybrid
RSA NetWitness Broker
RSA NetWitness Administrator
IssueHow to configure NTP on an RSA Netwitness appliance.
How to get NetWitness appliances to be in sync with each other using NTP.

The RSA NetWitness architecture relies heavily on a consistent time source to keep the data synchronized between multiple devices.  It is highly recommended that NTP be setup on every RSA NetWitness appliance to ensure optimal performance.  Not doing so may result in sluggish query performance, concentrators falling behind in consumption, and/or devices being aggregated always remaining in a waiting state instead of consuming.

NTP can be configured by following the steps below, which will configure the time synchronization parameters.

  1. Connect to the device via RSA NetWitness Administrator using the 50006 appliance service port.
  2. Double-click on the device adn select the Appliance Tasks button.
  3. Select Set Network Time Source.
  4. Enter your NTP server name and click the Run button, using the following syntax:  source=<ntp_source>


You can verify the NTP server information by examining the /etc/ntp.conf file via SSH.  The entry will appear similar to the following:  server 0.pool.ntp.org


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance. 


If your appliances have access to the Internet, 0.pool.ntp.org can be used as the NTP server.

If the NTP configuration does not appear to be persistent after rebooting the appliance, follow the procedure in the knowledgebase article Setting the NTP source on an RSA NetWitness appliance is not persistent after reboot.

Legacy Article IDa58598