000034434 - How to find the sessions.behind value from the command line on an RSA Security Analytics concentrator

Document created by RSA Customer Support Employee on Dec 28, 2016Last modified by RSA Customer Support on Apr 12, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034434
Applies ToRSA Product Set: Security Analytics, NetWitness Logs and Network
RSA Product/Service Type: Concentrator
RSA Version/Condition: 10.5.x, 10.6.x, 11.X
Platform: CentOS
O/S Version: EL6, EL7
TasksThis article is intended to help users to find the sessions.behind value on a concentrator using the command line instead of the RSA Security Analytics UI.
  1. Connect to the concentrator appliance via SSH as the root user.
  2. Use the command below to find the sessions.behind value using the concentrator service account credentials. Note: If you have more than one device being aggregated from, then you will see a line for each device.

    root@concentrator ~]# NwConsole -c login localhost:50005 <username> <password> -c cd concentrator/devices -c ls depth=10 | grep sessions.behind

The steps below will provide the same output without requiring the password to be entered in plain text.
  1. Connect to the concentrator appliance via SSH as the root user.
  2. Enter the NwConsole interface.

    [root@concentrator ~]# NwConsole

  3. Log in using the service account credentials.  (default: admin)

    > login localhost:50005 admin

  4. Provide the password for the service account.

    Password: **********
    Successfully logged in as session 84272

  5. Navigate to the devices directory.

    [localhost:50005] /> cd concentrator/devices

  6. List the device information, which will include the sessions.behind value.

    [localhost:50005] /concentrator/devices> ls depth=10