000034621 - How to extract a specific device type logs using NwConsole SDK command line in RSA NetWitness 10.5.0 and higher

Document created by RSA Customer Support Employee on Jan 10, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034621
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics LogConcentrator
RSA Version/Condition: 10.5.0 and higher
Platform: CentOS
 
Issue - Security Analytics imposes a hard coded limit of  <100,000 in the SA GUI which may span to last couple of hours depending on the volume of your event-source parsed logs stored within NetWitness platform. 
- This article is intended to provide a workaround for extracting logs within larger time-frame and for a specific devicetypes or eventsources.
ResolutionAll of the commands below need to be applied on the LogConcentrator via an SSH session:
If you do have "SSL trustmode"  enabled on the LogConcentrator service then please issue below commands:

 
#NwConsole
>  login localhost:56005:ssl admin "password"
> sdk output /tmp
> sdk open nws://admin:"password"@localhost:56005
> sdk content sessions=1-now render=logs dir="/tmp" where="(time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa')" fileExt=.log append="devicetypename.log"


If you don't have "SSL trustmode" enabled on the LogConcentrator service then please issue below commands: 
 
#NwConsole
>  login localhost:50005 admin "password"
> sdk output /tmp
> sdk open nw://admin:"password"@localhost:50005
> sdk content sessions=1-now render=logs dir="/tmp" where="(time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa')" fileExt=.log append="devicetypename.log"

The variables in the above commands are as follows:
1- Service-password "password".
2-  The output directory for extracted logs "/tmp" make sure to put the directory with largest free-space in order to accommodate the extracted log file with no impact on the overall storage and operations of the LogConcentrator/Hybrid appliance. 
3-   The "time-frame" and MetaKey value of "device.type" such as: time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa' you can change them based on your own preferred time-frame and device.type you want to extract it's logs. 
4- The filename "devicetypename.log" of the extracted log file, please change it upon your own desired naming-convention. 
A successful run of the "sdk content" command will be as follows:

 
[localhost:56005] /> sdk content sessions=1-now render=logs dir="/tmp" where="(time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && devic
e.type = 'ciscoasa')" fileExt=.log append=ciscoasa.log
15:22:46: Sessions 1 to 296827 have meta range 1 to 6860568
15:22:46: Submitting query for sessions: query="select sessionid where (time='2016-12-30 00:00:00'-'2016-12-30 22:00:00' && device.type = 'ciscoasa')" id1=1 id2=6860568
15:22:46: Query is now executing on service
15:22:49: Submitting request to stream logs for 5754 sessions
15:22:50: 4154 logs written, 100% complete
15:22:50: Packets has finished, the last session extracted was 296827
15:22:50: Command finished in 3 seconds


 

Attachments

    Outcomes