|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.6.x, 11.x
NetWitness imposes a hard coded limit of <100,000 in the RSA NetWitness GUI.
|Resolution||The following 3 methods may be used to Extract PCAP/LOGS:|
Method 1: using REST API, restricts export to 1GB or less
Method 2: Using Curl command line, restricts export to 1GB or less
Method 3: Using SDK no published limitations
Once connected to the log concentrator, log in to the NwConsole, and connect to the concentrator service.
(Note: ssl is only used if ssl has been enabled on the appliance service. nws = ssl, nw = non-ssl)
> login localhost:50005:[ssl] admin [password]
> sdk open nw[s]://admin:[password]@[hostname]:50005
(Note: ssl is only used if ssl has been enabled on the appliance service. nws = ssl, nw = non-ssl.
Also if your password has a @ character the hostame will likely not connect, try creating a new service account user and password that does not have a @)
Once connected, issue the following command to begin the log extraction process:
> sdk content sessions=1-now render=logs dir="/root/logs" where="(time='2014-03-12 18:00:00'-'2014-03-12 18:30:00' && device.class = 'windows hosts' && user.dst = 'envisionrsa')" fileExt=.log append=arc_log_extract
sessions – the first session until now
render – generate the file as a "logs" or "pcap" for pckets
dir - the location where the log file will be saved
where – the where query from step 3
fileExt – the extension that will be placed on the created log file
append – the name of the log file that will be created