000026850 - How to collect RSA Security Analytics device logs by individual service type by using NwConsole

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026850
Applies ToRSA Security Analytics
RSA NetWitness NextGen
RSA NetWitness NwConsole
IssueHow to collect RSA Security Analytics device logs by individual service type by using NwConsole.
How to collect individual NetWitness appliance logs using NwConsole.
ResolutionTo collect and download the warning and failure logs of an individual appliance, please follow the steps below:

  1. Connect the appliance in question via SSH
  2. Issue the command NwConsole to enter the Security Analytics Console
  3. Login to the service level in question (refer to the table below) by issuing the following command:
    1. login localhost:<service_level_port> admin
  4. At the prompt, enter the password for the account in question.
  5. Proceed to collect the logs in question by issuing the following commands:
    1. cd logs
    2. /logs> dlogs pathname=/root/<filename>.txt time1="2013-Oct-17 00:00:00" time2="2013-Oct-19 00:00:00"

      NOTE:  The time format above is an example, change the dates to the range needed.

See the note below for an example of the entire process.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this artice ID for further assistance.


Below is a detailed example of the process: 

RSA Security Analytics Console
Copyright 2001-2012, RSA Security Inc.  All Rights Reserved.

> login localhost:50004 admin

Password: *********
Successfully logged in as session 3680
[localhost:50004] /> dlogs
Usage: dlogs <supported parameters> [pathname=<pathname>] [delimiter=","] [append={0|1}]
        NOTE: The current node must be /logs ("cd /logs")
        For supported parameters, send the following command "send /logs help msg=download"
        pathname  - is the optional output path where the logs will be saved, otherwise logs are written to console
        delimiter - The string that separates each log field, use \\t for tab, default is a comma
        append    - If 1, will append to existing file, zero overwrites (default)
[localhost:50004] /> cd logs
[localhost:50004] /logs
[localhost:50004] /logs> dlogs pathname=/logs.txt time1="2013-Oct-17 00:00:00" time2="2013-Oct-19 00:00:00"


Refer to the table below for the ports associated with each service level.

 Service Level Service Port
 Appliance 50006
 Concentrator 50005
 Decoder 50004 
 Broker 50003
 Log Decoder 50002
 Log Collector 50001

Legacy Article IDa66409