RSA NetWitness Logs and Packets Tuning

Document created by Elizabeth Maloney Employee on Oct 4, 2016Last modified by Elizabeth Maloney Employee on May 1, 2017
Version 5Show Document
  • View in full screen mode






In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us




This on-demand lab reviews the proper initial configuration steps and settings for RSA NetWitness Logs and Packets. Students are then presented with a sub-optimal environment and will identify the “underperforming,” modules, and fine tune the environment.



This self-paced on-demand lab presents the proper initial configuration steps and settings for RSA NetWitness Logs and Packets. It describes an optimal configuration of RSA NetWitness Logs and Packets that allows for increased performance. Lab exercises provide students with the ability to practice what they have learned. To maximize the value of your learning experience, this course also includes access to RSA University’s virtual environment.

Anyone interested in tuning their RSA NetWitness Logs and Packets environment for optimal performance

Delivery Type
On-Demand Lab

1 hour course and 2 hour lab
Note: RSA University’s on-demand lab environment is provided for 10 hours of overall practice time over a 14-day period.

Accessing the Lab Environment
Lab exercises are performed in the RSA University virtual lab environment. The downloadable Lab Guide provides detailed instructions on access the environment. For more information please view the document Access RSA University Virtual Labs – available on the RSA University site: RSA University Content.


Prerequisite Knowledge/Skills
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:


Learning Objectives
Upon successful completion of this course, participants should be able to:

  • Install and configure RSA NetWitness Logs and Packets hardware
  • Perform initial configuration of RSA NetWitness Logs and Packets
  • Perform basic configuration checks


Course Outline
Module 1: Pre-Configuration Procedures
 Utilize a checklist of procedures
 Map out your environment before deploying RSA NetWitness Logs and Packets
 Understand the architecture and how it will affect the deployment
Module 2: Post Install Configuration
 Configure Proxy Server settings
 Create and configure an RSA Live account
 Check for software updates
 Configure Security Settings
Module 3: Deploy the Right Content
 Identify and deploy the proper parsers
 Determine and deploy the proper feeds
Module 4: Capture and Aggregation Settings
 Configure capture settings on both Decoders
 Configure aggregation settings on the Concentrator
 Add additional Log Collectors
Module 5: Utilize Filtering and Truncation
 Filter unnecessary data from your data set
 Describe the reasons for filtering
 Define data for filtering
 Identify types of filtering rules, including:
   o Berkely Packet Filters
   o Network Rules
Module 6 Troubleshoot Investigation Queries
 Define the ways to query a data set
 Identify best practices when querying
 Illustrate an example of an effective query



Exercise 1: Where to Start?
 Searching for misplaced content
 Packet parsers and log decoders
 Basic correlation rules
 Mixed application rules
Exercise 2: Content Cleanup
 Saving custom content
 Deleting deployed content
 Deploying standard installation content
 Creating new customer content
 Removing out-dated content
 Clearing subscriptions
Exercise 3 : System Review
 Reviewing needed parsers & feeds
 Cleaning up application rules
 Adding truncation rules as needed
 Final system check






In order to register for a class, you need to first create an EMC account
If you need further assistance, contact us