|Applies To||RSA Product Set: Security Analytics, NetWitness Logs & Network|
RSA Product/Service Type: Security Analytics services, NetWitness Logs & Network services
RSA Version/Condition: 10.4, 10.5, 10.6, 11.x
O/S Version: EL6, EL7
|Resolution||To collect and download the logs of an individual service, please follow the steps below:|
- Connect to the appliance in question via SSH
- Issue the command NwConsole to enter the console
- Login to the service in question (refer to the table below) by issuing the following command:
login localhost:<service_port> admin
- At the prompt, enter the password for the account in question.
- Proceed to collect the logs in question by issuing the following commands:
/logs> dlogs pathname=/root/<filename>.txt time1="2013-Oct-17 00:00:00" time2="2013-Oct-19 00:00:00"
NOTE: The time format above is an example, change the dates to the range needed.
See the note below for an example of the entire process.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Below is a detailed example of the process:
RSA Security Analytics Console 10.6.6.0
Copyright 2001-2018, RSA Security Inc. All Rights Reserved.
Type "help" for a list of commands or "man" for a list of manual pages.
> login localhost:50004 admin
Successfully logged in as session 4436
[localhost:50004] /> cd /logs
[localhost:50004] /logs> dlogs
Usage: dlogs [<supported parameters>] [pathname=<output pathname>]
Retrieve logs from the logged in service. The current node must be /logs ("cd
parameters - For supported parameters, send the following command "send
/logs help msg=download"
pathname - The optional output path where the logs will be saved,
otherwise, logs are written to the console
delimiter - The string that separates each log field, use \\t for tab,
default is a comma
append - If 1, will append to existing file, zero overwrites (default)
Aliases: downloadLogs, downloadlogs
[localhost:50004] /logs> dlogs pathname=/logs.txt time1="2013-Oct-17 00:00:00" time2="2013-Oct-19 00:00:00"
Refer to the table below for the ports associated with each service:
| Service|| Service Port|
| Archiver|| 50008|
| Workbench|| 50007|
| Appliance|| 50006|
| Concentrator|| 50005|
| Decoder|| 50004 |
| Broker|| 50003|
| Log Decoder|| 50002|
| Log Collector|| 50001|