CLI: Access NwConsole and Help

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Product Team on Sep 8, 2020
Version 12Show Document
  • View in full screen mode

RSA NetWitness Console, also known as NwConsole, is a multi-platform terminal application that provides powerful tools and command line access to Core services, such as Decoder, Log Decoder, Concentrator, Broker, and Archiver. While most users complete their tasks and investigations through the NetWitness Platform user interface, some advanced users, such as administrators and developers, require direct access to the services without going through the user interface. NwConsole enables you to enter commands from the command line or run multiple commands from a file. 

This topic describes how to access NwConsole and view the internal help within NwConsole.

Extensive help information is available within the NetWitness Platform console, also known as NwConsole. You can access this help from the NetWitness Platform command line.

Prerequisites

All NetWitness Platform appliances have the NwConsole application installed. You can also install it on Windows, Mac, and CentOS to connect and interact with a Core service.

NwConsole is available from the command line on a NetWitness Platform appliance. If you are accessing a Core appliance remotely, you need to have the RSA NetWitness Console application installed on a Windows, Mac, or CentOS machine. To obtain the NetWitness Console application installer, contact RSA Customer Care.

Access NwConsole

To run NwConsole from the command line on a NetWitness Platform appliance or on a terminal emulator, at the <$> prompt, type NwConsole (Linux) or nwconsole (Windows). The actual command is NwConsole, but Windows is not case sensitive. RSA NetWitness Console is displayed as shown in the following example.

Last login: Thu Sep 24 14:00:42 on console
usxx<username>m1:~ <username>$ NwConsole
RSA NetWitness Platform Console 11.5.0.0.6105
Copyright 2001-2020, RSA Security Inc. All Rights Reserved.

Type "help" for a list of commands or "man" for a list of manual pages.
>

View Help

NwConsole provides help on individual commands as well as help on specific topics.

Caution: To get the latest information, view the command and help topics within NwConsole. 

View a List of Commands

To view a list of available commands and their descriptions, at the (>) prompt, type help. The following example shows a list of available commands.

> help 
Local commands:
   avro2nwd      - Convert AVRO files to NWD files
   avrodump      - Display schema and contents of AVRO file (for debugging)
   blockspeed    - Tests various write block sizes to determine best setting
    compileflex   - Compile all flex parsers in a directory
   createflex    - Create a flex parser that matches tokens read from a file
   dbcheck       - Perform a database integrity check over one or more session, meta, packet, log or stat db files
   diskspeed     - Measures the speed of the disk(s) mounted at a specified directory
   echo          - Echos the passed in text to the terminal
   encryptparser - Encrypt all parsers in a directory
   feed          - Create and work with feed files
   fmanip        - Manipulate a file with XOR and check for embedded PEs
   hash          - Creates or verifies hashes of database files
   help          - Provides help information for recognized console commands
   history       - Displays, erases or executes a command in the command history
   httpAggStats  - Tests HTTP aggregation and reports statistics as it continues
   log           - Perform operations on a log database
   logParse      - Parse line delimited logs on stdin and post results to stdout
   logfake       - Create a fake log pcap file
   lua           - Execute a lua script
   makec3        - Generate C3 Test Data
   makepcap      - Convert packet database files to pcap or log files
   man           - Displays a list of topics or opens a specific manual page on a topic
   metaspeed     - Tests read performance over an existing meta db
   netbytes      - Display statistics on network interface utilization
   nwdstrip      - Convert full NWD file into just session and meta file
   pause         - Wait for user input when running a script file
   reindex       - reindex a collection
   sdk           - Execute SDK commands based on the C SDK library, type "sdk help" for more information
   sleep         - Sleeps for the specified milliseconds
   timeout       - Globally change the timeout for waiting for a response from a service
    tlogin        - Open a trusted SSL connection to an existing service
   topQuery      - Returns the top N longest running queries from the audit log (either a file or from the log API)
   vslice        - Validate index slices

Remote commands (executed on the connected service, see "login"):
   login          - Connect to a remote service. Once connected, type help to see commands available for remote execution.

For detailed help, type "help <command>"
>

View Detailed Help on a Command

To view detailed information about a command, type help <command>. The following example shows help for the logParse command after typing help logParse.

For detailed help, type "help <command>"
> help logParse
Usage: logParse {in=<pathname>} {indir=<pathname>} [out=<pathname>]
                  [content=<c2|c3>] [device=<device,[device...]>]
                  [path=<log-parsers-config-path>] [metaonly] [srcaddr=<src address>] [srcaddrfile=<filename,IP Address>]
Parse line delimited logs on stdin and post results to stdout
    in            - The input source file. "in=stdin" means interactive typing of log.
   indir         - The input source files parent directory
   out           - The output file or output file parent directory if input is set by indir. If not specified, use stdout as output.
   content       - Content version, either c2 or c3. Default is c2.
   device        - Comma delimited device list specifying devices that is enabled. Default enables all devices.
   path          - The logparsers configuration path. Default will find configuration file like logdecoder.
   metaonly      - The output will only contains parsed meta, otherwise will print log message after metas.
   srcaddr       - The source address of the all the logs
   srcaddrfile   - The source address for logs in one input file, in the format filename,ipaddress
>

View a List of Help Topics

To view a list of help topics, type man. The following example shows a list of help topics.

> man
List of topics:

   Introduction
   Connecting to a Service
   Monitoring Stats
   Feeds
   Converting Packet DB Files to PCAP
   Packets
   Verifying Database Hashes
   SDK Content
   SDK Content Examples
   Troubleshooting

Type "man <topic>" for help on a specific topic, partial matches are acceptable
>

View a Specific Help Topic

To view help about a specific topic, type man <topic>. The following example shows the Packets help topic after typing man Packets.

 Type "man <topic>" for help on a specific topic, partial matches are acceptable > man Packets
                              Packets
                              =======

The *packets* command can be used to generate a pcap or log file based on a
list of Session IDs, a time period or a where clause. The command is quite
flexible and can be used on any running service that has access to the raw
data from a downstream component. Before running the command, you must first
*login* to a service and then change directory to the appropriate sdk node,
(e.g., "cd /sdk"). Unlike the *makepcap* command, which only works on the
local file system, this command is meant to be used on a remote service.

   login ...
   cd /sdk
   packets where="service=80 && time='2018-03-01 15:00:00'-'2018-03-01
   15:10:00'" pathname="/tmp/march-1.pcap"
Write 10 minutes of HTTP only packets from March 1st, to the file
/tmp/march-1.pcap. All times are in UTC.

   packets time1="2018-04-01 12:30:00" time2="2018-04-01 12:35:00"
   pathname=/media/sdd1/packets.pcap.gz
Write all packets between the two times to a gzip compressed file at
/media/sdd1/packets.pcap.gz

   packets time1="2018-04-01 12:30:00" time2="2018-04-01 12:35:00"
   pathname=/media/sdd1/mylogs.log
Write all logs between the two times to a plaintext file at
/media/sdd1/mylogs.log. Any pathname ending with .log indicates that the
format of the output file should be plaintext line-delimited logs.
>

Caution: To get the latest information, view the command and help topics within NwConsole. 

Quit NwConsole

To exit the NwConsole application, type quit at the command line.

 

You are here

Table of Contents > Access NwConsole and Help

Attachments

    Outcomes