000027758 - RSA NetWitness and RSA Security Analytics Tech Support Data Gathering Script

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 31, 2018
Version 16Show Document
  • View in full screen mode

Article Content

Article Number000027758
Applies ToRSA Product Set: NetWitness Logs and Packets (Security Analytics), NetWitness NextGen (Legacy)
RSA Version/Condition: 9.8, 10.1, 10.2, 10.3.x, 10.4.x, 10.5.x, 10.6.x, 11.x
Platform: CentOS
O/S Version: 5, 6, 7
Script: nwtech.sh
IssueHow to download, utilize, and update the Tech Support Data Gathering script (nwtech.sh) to provide information to the Support team for troubleshooting purposes.

Where can I download the nwtech script?

How do I use the nwtech script?
 
ResolutionCurrent Script Version: 2018.07.30
 
1. Download the latest nwtech.sh script version linked in this solution.  Do not open it in a text editor and save as this may corrupt the script.  (Refer to the knowledge base article Error message '/bin/bash^M: bad interpreter: No such file or directory' when running an RSA NetWitness script for additional information.)


2. Using an scp utility (i.e. Winscp, scp, etc), copy the script to your NetWitness appliance's /root directory.

 


PLEASE COPY THIS FILE TO YOUR APPLIANCE USING SCP RATHER THAN USING A WINDOWS TEXT EDITOR, AS SOME WINDOWS TEXT EDITORS DO NOT HANDLE UNIX LF'S CORRECTLY, THUS UNEXPECTED RESULTS COULD OCCUR


3. To display help for the script, execute "./nwtech.sh -h".

4. Change permissions on the file to make it executable by running from an ssh session "chmod +x nwtech.sh"

5. Execute the script by running "./nwtech.sh -p" or "./nwtech.sh username password".  The "-p" option will prompt you for username and password.  Providing the credentials on the command line is less secure but if your password contains certain special characters you may have to run the script this way and enclose the password in 'single quotes'.   The correct credentials for your appliance services, i.e. the Decoder, Concentrator, or Broker credentials you would enter in Administrator, and not your operating system credentials, i.e. not what you use to login via ssh.  Unless -i is selected, the script may terminate if a service login failure occurs.



Note: The script will generate an output file called 'nwtech-<dateandtime>.tar.bz2' - the complete filename will be listed at the end of the script's output.


6. scp the file back to your PC and attach it to your open NetWitness case.

7. The 3 most commonly used options are:

./nwtech.sh username password
./nwtech.sh -p
./nwtech.sh -d


Command Usage:



Usage: ./nwtech.sh username password [-s] [-ss] [-i] [-a] [-k] [-b] [-e]
Usage: ./nwtech.sh -p [-s] [-ss] [-i] [-a] [-k] [-b] [-e]
Usage: ./nwtech.sh -d [-k] [-b] [-e]

Password Notes:
  * Passwords supplied from command line containing certain special characters like # may need to be placed within 'single quotes' e.g. 'pass#word'
  * It may also be necessary to upgrade to at least NextGen 9.6.5.10/9.7.5.9 due to a defect in handling passwords containing special characters.
  * Special characters include: " # $ & ( ) * ' \ ` ~
  * Passwords may not contain certain characters such as space & -
  * There is a 17 character password limit.

  -p    Prompt for service credentials separately instead of entering username & password via command line.  This MUST be specified as the first parameter.
  -d    Only run disk commands.  Do nothing else.  This MUST be specified as the first parameter.  Do not enter a username and password on the command line.
  -s    Login to services using SSL.  Use this option if your services have SSL enabled.
  -ss   Prompt for SSL separately for each service.  Use this if not all services have SSL enabled.
  -i    Ignore failed login attempts and continue.  Note: If a service login fails then the output file will NOT contain service exports such as service logfiles and service stats.
  -a    Grab ALL /var/log/messages* files, not just active logfile and don't truncate service logs.
  -k    Keep script output beneath current directory and do not compress. Cannot be used with -b or -e switches
  -b    Use bz2 compression if '7za' command is present (7zip compression is default if '7za' is installed).
  -e    Encrypt payload using RSA NetWitness Support PGP public key (nwsupport@rsa.com).  You may be prompted to add the key to your GPG keyring.  The unencrypted output file will not be deleted. Cannot be used with -k.



Please see attached changelog file for more details.



NotesYou may submit files larger than 25MB by referring to the knowledge base article RSA NetWitness Technical Support script (nwtech.sh) output is too large to upload to a Salesforce case.

For versions >= 10.4.x and if the -p parameter is used, once successful authentication is achieved using one of the following important services then the rest of the services will attempt to authenticate using the puppet trust model.

The services considered important are:



  • Decoder
  • Log Decoder
  • Log Collector
  • Concentrator
  • Archiver
  • Broker

Click here to download the latest version of the nwtech.sh script.



Click here to view the Changelog for the nwtech.sh script.



Click here to download the curl-7.18.1-1.fc9.x86_64.rpm package for Fedora Core 9.





Legacy Article IDa59741

Attachments

    Outcomes