|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Security Analytics LogConcentrator
RSA Version/Condition: 10.5.0 and higher
|Issue|| - Security Analytics imposes a hard coded limit of <100,000 in the SA GUI which may span to last couple of hours depending on the volume of your event-source parsed logs stored within NetWitness platform. |
- This article is intended to provide a workaround for extracting logs within larger time-frame and for a specific devicetypes or eventsources.
|Resolution||All of the commands below need to be applied on the LogConcentrator via an SSH session:|
If you do have "SSL trustmode" enabled on the LogConcentrator service then please issue below commands:
If you don't have "SSL trustmode" enabled on the LogConcentrator service then please issue below commands:
The variables in the above commands are as follows:
1- Service-password "password".
2- The output directory for extracted logs "/tmp" make sure to put the directory with largest free-space in order to accommodate the extracted log file with no impact on the overall storage and operations of the LogConcentrator/Hybrid appliance.
3- The "time-frame" and MetaKey value of "device.type" such as: time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa' you can change them based on your own preferred time-frame and device.type you want to extract it's logs.
4- The filename "devicetypename.log" of the extracted log file, please change it upon your own desired naming-convention.
A successful run of the "sdk content" command will be as follows:
[localhost:56005] /> sdk content sessions=1-now render=logs dir="/tmp" where="(time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && devic