000029306 - Collecting statistics for RSA Security Analytics Decoder via REST API

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029306
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Packet Decoder
Platform: CentOS
TasksThis article provides instructions for collecting real-time statistics for an RSA Security Analytics Decoder appliance  via the REST API using the UNIX "curl" command and include statistics such as packet capture rate, meta assembler rate, total bytes captured, etc.
ResolutionDecoder statistics can be collected with the curl command passed to the RSA SA  REST API.  By piping curl to grep, its possible to further filter the output based on the information desired.  A sample is provided below:  
 
curl -u <username>:<password> "http://<decoder_ip_address>:50104/decoder/stats?msg=ls&force-content-type=text/plain&expiry=600" | grep <filter_string>


In the example below, the current and maximum packet capture rates are being collected.
[root@localhost ~]# curl -u admin:netwitness "http://192.168.1.5:50104/decoder/stats?msg=ls&force-content-type=text/plain&expiry=600" | grep packet.capture.rate
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3122  100  3122    0     0   575k      0 --:--:-- --:--:-- --:--:-- 1016k
capture.packet.rate (Capture Packet Rate (current)) = 34663
capture.packet.rate.max (Capture Packet Rate (maximum)) = 131012




 
NotesRefer to the table below for other filters that can be applied to the curl command.
 
StringDescription
assembler.client.bytesAssembler Client Bytes
assembler.client.goodput.rateAssembler Rate Client Goodput (current)
assembler.client.goodput.rate.maxAssembler Rate Client Goodput (maximum)
assembler.client.retransAssembler Client Retransmit
assembler.meta.rateAssembler Rate Meta (current)
assembler.meta.rate.maxAssembler Rate Meta (maximum)
assembler.packet.bytesAssembler Packet Bytes
assembler.packet.pagesAssembler Packet Pages
assembler.packet.rateAssembler Rate Packet (current)
assembler.packet.rate.maxAssembler Rate Packet (maximum)
assembler.packetsAssembler Packets
assembler.server.bytesAssembler Server Bytes
assembler.server.goodput.rateAssembler Rate Server Goodput (current)
assembler.server.goodput.rate.maxAssembler Rate Server Goodput (maximum)
assembler.server.retransAssembler Server Retransmit
assembler.sessionsAssembler Sessions
assembler.sessions.forcedAssembler Sessions Forced
assembler.sessions.splitAssembler Sessions Split
assembler.sessions.timed.outAssembler Sessions Timed Out
assembler.timespanAssembler Timespan
capture.avg.sizeAverage Size of Captured Packets
capture.deviceCapture Device
capture.droppedCaptured Packets Dropped
capture.dropped.percentCaptured Packets Percent Dropped (current)
capture.dropped.percent.maxCaptured Packets Percent Dropped (maximum)
capture.filteredCaptured Packets Filtered
capture.header.bytesCapture Header Bytes
capture.interfaceCapture Interface
capture.keptCaptured Packets Kept
capture.packet.ratePacket Capture Rate (current)
capture.packet.rate.maxPacket Capture Rate (maximum)
capture.payload.bytesCapture Payload Bytes
capture.rateCapture Rate (current)
capture.rate.maxCapture Rate (maximum)
capture.receivedCaptured Packets Received (total)
capture.statusCapture Status
capture.total.bytesCapture Total Bytes
correlation.results.createdCorrelation Results Created
correlation.results.droppedCorrelation Results Dropped
limiter.bytes.rateLimiter Rate Bytes (current)
limiter.bytes.rate.maxLimiter Rate Bytes (maximum)
limiter.engagedLimiter Engaged
limiter.packets.droppedPackets dropped while limiter is engaged
pool.packet.assemblerPacket Assemble Queue
pool.packet.capturePacket Capture Queue
pool.packet.writePacket Write Queue
pool.session.correlateSession Correlation Queue
pool.session.writeSession Write Queue
rule.alert.sessionRule Alert (Session)
time.beginPacket Database Time Begin
time.captureCapture Time Elapsed
time.endPacket Database Time End

Attachments

    Outcomes