000029676 - Different methods for exporting logs and pcaps in RSA Security Analytics 10.3

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029676
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics log decoder, Security Analytics packet decoder, Security Analytics concentrator
RSA Version/Condition: 10.3+
Issue

Security Analytics imposes a hard coded limit of  <100,000 in the SA GUI.  

ResolutionThe following 3 methods may be used to Extract PCAP/LOGS:
 
Method 1: using REST API, restricts export to 1GB or less
 http://<Logdecoder_IP>:50102/sdk/packets
 http://<Packetdecoder_IP>:50104/sdk/packets

Method 2: Using Curl command line, restricts export to 1GB or less
 
# curl -uadmin  "http://<LOG_DECODER_IP>:50102/sdk/packets?render=logs%time1=<START_TIME>&time2=<END_TIME>"
curl -uadmin "http://<PACKET_DECODER_IP>:50104/sdk/packets?render=pcap%time1=<START_TIME>&time2=<END_TIME>" 

 
Method 3: Using SDK no published limitations 
Once connected to the log concentrator, log in to the NwConsole, and connect to the concentrator service.
(Note: ssl is only used if ssl has been enabled on the appliance service. nws = ssl, nw = non-ssl)

#NwConsole
> login localhost:50005:[ssl] admin [password]
> sdk open nw[s]://admin:[password]@[hostname]:50005   
(Note: ssl is only used if ssl has been enabled on the appliance service. nws = ssl, nw = non-ssl)
Once connected, issue the following command to begin the log extraction process:
> sdk content sessions=1-now render=logs dir=”/root/logs” where=”(time='2014-03-12 18:00:00'-'2014-03-12 18:30:00' && device.class = 'windows hosts' && user.dst = 'envisionrsa')” fileExt=.log append=arc_log_extract
 



Command Breakdown:
sessions – the first session until now
render – generate the file as a "logs" or "pcap" for pckets
dir  - location where the log file will be saved
where – the where query from step 3
fileExt – the extension that will be placed on the created log file
append – the name of the  log file that will be created

Sample output:
 
Sessions 1 to 9620098716 have meta range 1 to 190837549810
Found 10000+ new session(s) between meta range 1 to 190837549810
Activating thread for processing
Submitting request to stream logs for 10000 sessions
553 logs written, 5% complete
1050 logs written, 10% complete


 

Attachments

    Outcomes