on Jun 14, 2016Article Content
| Article Number | 000029676 |
| Applies To | RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Core Appliance RSA Version/Condition: 10.6.x, 11.x |
| Issue | NetWitness imposes a hard coded limit of <100,000 in the RSA NetWitness GUI. |
| Resolution | The following 3 methods may be used to Extract PCAP/LOGS: Method 1: using REST API, restricts export to 1GB or less
Method 2: Using Curl command line, restricts export to 1GB or less
Method 3: Using SDK no published limitations Once connected to the log concentrator, log in to the NwConsole, and connect to the concentrator service. (Note: ssl is only used if ssl has been enabled on the appliance service. nws = ssl, nw = non-ssl) #NwConsole > login localhost:50005:[ssl] admin [password] > sdk open nw[s]://admin:[password]@[hostname]:50005 (Note: ssl is only used if ssl has been enabled on the appliance service. nws = ssl, nw = non-ssl. Also if your password has a @ character the hostame will likely not connect, try creating a new service account user and password that does not have a @) Once connected, issue the following command to begin the log extraction process: > sdk content sessions=1-now render=logs dir="/root/logs" where="(time='2014-03-12 18:00:00'-'2014-03-12 18:30:00' && device.class = 'windows hosts' && user.dst = 'envisionrsa')" fileExt=.log append=arc_log_extract Command Breakdown: sessions – the first session until now render – generate the file as a "logs" or "pcap" for pckets dir - the location where the log file will be saved where – the where query from step 3 fileExt – the extension that will be placed on the created log file append – the name of the log file that will be created Sample output:
|