000026850 - How to collect RSA Security Analytics / NetWitness Platform device logs by individual service type using NwConsole

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 23, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026850
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Security Analytics services, NetWitness Logs & Network services
RSA Version/Condition: 10.4, 10.5, 10.6, 11.x
Platform: CentOS
O/S Version: EL6, EL7
IssueHow to collect RSA Security Analytics / NetWitness Logs & Network device logs by individual service type using NwConsole.
ResolutionTo collect and download the logs of an individual service, please follow the steps below:
  1. Connect to the appliance in question via SSH
  2. Issue the command NwConsole to enter the console
  3. Login to the service in question (refer to the table below) by issuing the following command:

login localhost:<service_port> admin

  1. At the prompt, enter the password for the account in question.
  2. Proceed to collect the logs in question by issuing the following commands:

cd logs

/logs> dlogs pathname=/root/<filename>.txt time1="2013-Oct-17 00:00:00" time2="2013-Oct-19 00:00:00"

NOTE:  The time format above is an example, change the dates to the range needed.

See the note below for an example of the entire process.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.


Below is a detailed example of the process: 

RSA Security Analytics Console
Copyright 2001-2018, RSA Security Inc.  All Rights Reserved.

Type "help" for a list of commands or "man" for a list of manual pages.
> login localhost:50004 admin

Password: **********
Successfully logged in as session 4436
[localhost:50004] /> cd /logs
[localhost:50004] /logs
[localhost:50004] /logs> dlogs
Usage: dlogs [<supported parameters>] [pathname=<output pathname>]
             [delimiter=","] [append=<0|1>]
Retrieve logs from the logged in service.  The current node must be /logs ("cd

    parameters - For supported parameters, send the following command "send
                 /logs help msg=download"
    pathname   - The optional output path where the logs will be saved,
                 otherwise, logs are written to the console
    delimiter  - The string that separates each log field, use \\t for tab,
                 default is a comma
    append     - If 1, will append to existing file, zero overwrites (default)

Aliases: downloadLogs, downloadlogs
[localhost:50004] /logs
[localhost:50004] /logs> dlogs pathname=/logs.txt time1="2013-Oct-17 00:00:00" time2="2013-Oct-19 00:00:00"



Refer to the table below for the ports associated with each service:

 Service Service Port
 Archiver 50008
 Workbench 50007
 Appliance 50006
 Concentrator 50005
 Decoder 50004 
 Broker 50003
 Log Decoder 50002
 Log Collector 50001

Legacy Article IDa66409