Hosts and Services Procedures

Document created by RSA Information Design and Development on Nov 7, 2017Last modified by RSA Information Design and Development on Nov 7, 2017
Version 2Show Document
  • View in full screen mode
  

Every service requires a host. After you set up a host, you can assign services to and from this host to other hoists in your NetWitness Suite deployment.

                           
High-Level TaskDescription
Set Up a Host

Complete the following tasks in the order shown to set up a host.

Step 1. Deploy a host.

Step 2. Install a service on a host.

Step 4. Review SSL ports for trusted connections.

Step 5. Manage access to a service.

Maintain a Host - Basics

The following maintenance tasks are not required and are shown in alphabetical order.

Maintain a Host from the Host Task List Dialog

You use the Host Task List dialog to manage tasks that relate to a host and its communications with the network. Several service and host configuration options are available for Core hosts. 

Maintain a Service

The following procedures describe how to maintain services.

Step 1. Deploy a Host

  1. Deploy a host.
    You can deploy a physical host (RSA Appliance), virtual host on-prem, a virtual in AWS, or a virtual host in Azure. See the following guides for instructions on how to deploy hosts.
    • RSA NetWitness® Suite Physical Host Deployment Guide
    • RSA NetWitness® Suite Virtual Host Deployment Guide
    • RSA NetWitness® Suite AWS Deployment Guide
    • RSA NetWitness® Suite Azure Deployment Guide
  2. Go to Administration > Hosts.
    The New Hosts dialog is displayed with the hosts that you deployed.
  3. Select the hosts that you want to enable.
    The Enable menu option becomes active.
  4. Click Enable.
  5. Select the host you enabled.
    The host is displayed in the Hosts view. At this point, you can install a service on the host.

Step 2. Install a Service on a Host

Each service is modeled as a plug-in to enable or disable according to the function of the host.

Prerequisites

Equipment, which can be physical or virtual, must be installed: NetWitness Server, Broker, Concentrator, Decoder, Log Decoder, Archiver, Warehouse, Malware Analysis server, or Event Stream Analysis server.

Procedure

Perform the following steps to add a Service to a Host:

  1. In NetWitness Suite, go to ADMIN > Hosts.
    The Hosts view is displayed.
  2. Select the host on which you want to install the service.
  3. Click (Install Icon) in the toolbar.
    The Install Services dialog is displayed.
  4. Select a service from the Host Type drop-down list (for example, ESA Primary).
    The (Install command button) becomes active in Install Services dialog.
  5. Click (Install command button).


Step 3. Review SSL Ports for Trusted Connections

To support trusted connections each core service has two ports, an unencrypted non-SSL port and an encrypted SSL port. Trusted connections require the encrypted SSL port. 

Prerequisite

To establish a trusted connection, each NetWitness Suite Core service must be upgraded to 10.4 or later. Trusted connections are not backwards compatible with NetWitness Suite Core 10.3.x or earlier. 

Encrypted SSL Ports

When you install or upgrade to 10.4 or later, trusted connections are established by default with two settings:

  1. SSL is enabled.
  2. The core service is connected to an encrypted SSL port.

Each NetWitness Suite Core service has two ports:

  • Unencrypted non-SSL port
    Example:  Archiver 50008
  • Encrypted SSL port
    Example:  Archiver 56008

The SSL port is the non-SSL port + 6000.

The following table lists all NetWitness Suite services with their respective ports and shows that each core service has two ports. All port numbers listed are TCP.

                                                                    
ServiceUnencrypted Non-SSL PortEncrypted SSL Port
Archiver5000856008
Broker5000356003
Concentrator5000556005
Context HubN/A50022
Decoder (Packets)5000456004
Event Stream AnalysisN/A50030
Log Collector5000156001
Log Decoder5000256002
Malware AnalysisN/A60007
Warehouse Connector5002056020
Workbench5000756007

Step 4. Manage Access to a Service

In a trusted connection, a service explicitly trusts the NW Server to manage and authenticate users. With this trust, services in ADMIN > Services no longer require credentials to be defined for every NetWitness Suite Core service. Instead, users who have been authenticated by the server can access the service without entering another password.

Test a Trusted Connection

PREREQUISITES

  1. A role must be assigned to the user.
    For details, see Add a User and Assign a Role topic in the System Security and User Management Guide.
  2. The user must:
    • Log on to NetWitness Suite to be authenticated by the server
    • Have access to the service

PROCEDURE

  1. In NetWitness Suite, go to ADMIN > Services.
    The Services view is displayed.

  2. Select the service (for example, a Concentrator) to test and click The Edit icon.
    The Edit Service dialog is displayed.
    Edit Service dialog
  3. If you did a fresh 11.0.0.0 install, the port is correct. No action is required in the Port field. Go to the next step.
    If you upgraded to 11.0.0.0 or have a mixed environment of a 11.0.0.0 server and 10.3 hosts, you must update the Port by deselecting and re-selecting SSL. Then, the Port number changes to the encrypted SSL port for the service.
  4. Remove the Username to test the connection without credentials.
  5. Click Test Connection.
    Edit Service dialog with success message
    The message Test connection successful confirms the trusted connection is established.
    The previously authenticated user can access the service without typing a username and password on the service. 
  6. Click Save.

Apply Version Updates to a Host

There are two methods you can use to apply version updates to a host.

Apply Updates from the Hosts View (Web Access)

The Hosts view displays the software version updates available in your Local Update Repository and you choose and apply the updates you want from the Host view.

This procedure tells you how to update a host to a new version of NetWitness Suite. 

Note: When you update the NetWitness Server host (also referred to as the NW Server host), NetWitness Suite backs up the System Management Service (SMS) configuration files (excluding the wrapper.conf file) from the /opt/rsa/sms/conf directory to/opt/rsa/sms/conf_%timestamp% directory. This is a precautionary measure for the rare occasion when you may need to restore the SMS configuration from backup. To do this, replace the files in the /opt/rsa/sms/conf  directory with the files backed up to the /opt/rsa/sms/conf_%timestamp% directory after the update.

  1. Log in to NetWitness Suite.
  2. Make sure that the Local Update Repo is populated.
    See Populate Local Update Repo for instructions.
  3. Go to ADMIN > HOSTS
  1. (Conditional) Check for the latest updates.

  2. Select a host or hosts.
    You must update the NW Server to latest version first. You can update the other hosts in any sequence you prefer, but RSA recommends that you follow the guidelines in Running in Mixed Mode.
    Update Available is displayed in the Status column if you have an version update in your Local Update Repository for the selected hosts.
  3.  Select the version you want to apply from the Update Version column.

    If you:
    • Want to update more than one host to that version, select the checkbox to the left of the hosts. Only currently supported update versions are listed.
    • Want to view a dialog with the major features in the update and information on the updates click the information icon () to the right of the update version number. The following is an example of this dialog.
    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available updates. If an update is available, the message "New updates are available" is displayed and the Status column updates automatically to show Update Available. By default, only supported updates for the selected host are displayed.
  4. Click Update > Update Host from the toolbar.

     A dialog is displayed with information on the selected update. Click Begin Update.

    The Status column tells you what is happening in each of the following stages of the update:
    • Stage 1 - Downloading update packages - downloads the repository artifacts applicable to the services on the host you chose.
    • Stage 2 - Configuring update packages - configures update files in to correct format.
    • Stage 3 - Update in progress - updates host to new version.

    See Troubleshooting Version Updates if you encounter an error when updating a host to a new version.

    After the host is updated, NetWitness Suite prompts you to Reboot Host.

  5. Click Reboot Host from the toolbar.
    NetWitness Suite shows the status as Rebooting... until the host comes back online. After the host comes back online, the Status shows Up-to-Date. Contact Customer Care if the host does not come back online.

Note: If you have DISA STIG enabled, opening Core Services can take approximately 5 to 10 minutes. This delay is caused by the generating of new certificates.

Apply Updates from the Command Line (No Web Access)

If your RSA NetWitness Suite deployment does not have Web access, complete the following procedure to apply a version update.

Note: In the following procedure, 11.0.1.0 is the version used as an example in the code strings of any 11.0 version.

  1. Download .zip update package for the version you want (for example, netwitness-11.0.1.0.zip) from RSA Link to a local directory.

    Note: In command line, if there are multiple updates available for a host and you want to skip an earlier update, you must download the interim updates too. For example, the host is running 11.0.0.1 and the 11.0.0.2 and 11.0.0.3 updates are available for that host. If you want to update directly to 11.0.0.3, you must:
    1. Download both 11.0.0.2 and 11.0.0.3.
    2. Initialize to 11.0.0.3.
    3. Apply the 11.0.0.3 update to the host.
    You do not need to apply 11.0.0.2 update if you set up 11.0.0.2 and 11.0.0.3 in the stage directory before you run the initialization.

  2. Transfer the .zip update package file to a local directory on the to the NW Server host.

  3. SSH to the NW Server host.
  4. Make a tmp/upgrade/<version> staging directory for the version you want (for example, tmp/upgrade/11.0.1.0).
    mkdir –p /tmp/upgrade/11.0.1.0
  5. Change the directory to the staging directory.
    cd /tmp/upgrade/11.0.1.0

  6. Directly unzip the from the local directory to the staging directory.
    unzip <local directory>/netwitness-11.0.1.0.zip

    Note: If you copied the .zip file to the created staging directory to unzip. Make sure that you delete the initial .zip file you copied from the staging location, after you extract it.

  7. Initialize the update on the NW Server.
  8. Apply the update to the NW Server.
    upgrade-cli-client --init --version 11.0.1.0 --stage-dir /tmp/upgrade/
  9. Restart the NW Server.
  10. Apply update to each non-NW Server host.
    upgrade-cli-client --upgrade --host-addr <non-NW Server IP address> --version 11.0.1.0
    The update is complete when the polling is completed.
  11. Restart the host.
    You can verify the version applied to the host with the following command:
    upgrade-cli-client --list

 

Populate Local Update Repository

The following diagram illustrates how you obtain versions updates if your NetWitness Suite deployment has Web Access. See Apply Updates from Command Line if your NetWitness Suite deployment does not have Web Access.

Note: When you make the initial connection with the Live Update Repository, you will be accessing all the CentOS 7 system packages and the RSA Production packages. This download of over 2.5GB of data will take an indeterminate amount of time depending on your Security Analytics Server’s Internet connection and the traffic of the RSA Repository. It is NOT mandatory to use the Live Update Repository.

To connect to the Live Update Repository, Navigate to the ADMIN >SYSTEM view, select Live in the options panel and ensure that credentials are configured (Connection light should be green). If it is not green, click Sign In and connect.

Note: If you need to use proxy to reach out to the Live Update Repository, you can configure the Proxy Host, Proxy Username, and Proxy Password. Refer to Configure Proxy for NetWitness Suite in the NetWitness Suite System Configuration Guide in the help on RSA Link (https://community.rsa.com/).

 

Set Up an External Repository with RSA and OS Updates

Complete the following procedure to set up an external repository (Repo).

  1. Log in to the web server host
  2. Create the ziprepo directory to host the NW repository (netwitness-11.0.0.0.zip) under web-root of the web server. For example, /var/netwitness is the web-root, submit the following command string.
    mkdir /var/netwitness/ziprepo
  3. Create the 11.0.0.0 directory under /var/netwitness/ziprepo.
    mkdir /var/netwitness/ziprepo/11.0.0.0
  4. Create the OS and RSA directories under /var/netwitness/ziprepo/11.0.0.0.
    mkdir /var/netwitness/ziprepo/11.0.0.0/OS
    mkdir /var/netwitness/ziprepo/11.0.0.0/RSA
  5. Unzip the netwitness-11.0.0.0.zip file into the /var/netwitness/ziprepo/11.0.0.0directory.
    unzip netwitness-11.0.0.0.zip -d /var/netwitness/ziprepo/11.0.0.0
    Unzipping netwitness-11.0.0.0.zip results in two zip files (OS-11.0.0.0.zip and RSA-11.0.0.0.zip)and some other files.
  6. Unzip the:
    1. OS-11.0.0.0.zip into the /var/netwitness/ziprepo/11.0.0.0/OS directory.
      unzip /var/netwitness/ziprepo/11.0.0.0/OS-11.0.0.0.zip -d /var/netwitness/ziprepo/11.0.0.0/OS
      The following example illustrates how the Operating System (OS) file structure will appear after you unzip the file.


    2. RSA-11.0.0.0.zip into the /var/netwitness/ziprepo/11.0.0.0/RSA directory.
      unzip /var/netwitness/ziprepo/11.0.0.0/RSA-11.0.0.0.zip -d /var/netwitness/ziprepo/11.0.0.0/RSA
      The following example illustrates how the RSA version update file structure will appear after you unzip the file.

    The external url for the repo is http://<web server IP address>/ziprepo.

  7. Use the http://<web server IP address>/ziprepo in response to Enter the base URL of the external update repositories prompt from NW 11.0 Setup program (nwsetup-tui) prompt.

Change the Name and Hostname of a Host

The Administration Hosts view enables you to change the Name and Hostname of the host on the NetWitness Suite user interface. For information on updating a host, see Step 1. Add a Host.

Edit a Host

  1. In NetWitness Suite, go to ADMIN > Hosts.
  2. In the Hosts view, select a host that you want to edit, and in the toolbar, select The Edit icon.
  3. In the Edit Host dialog, you can update the Name at any time.
  4. If the actual hostname changes, update the Hostname field.  
    Use the changePuppetMaster.py Python script to change the IP Address or hostname of the NetWitness Server Host or any other host in your NetWitness Suite deployment. You run this script from the command line on the NetWitness Server Host. Refer to the Change IP Address or Hostname of a Host topic in System Maintenance for instructions on how to use this script.
  5. Click Save.

Create and Manage Host Groups

The Hosts view provides options for creating and managing groups of hosts. The Groups panel toolbar includes options for creating, editing, and deleting host groups. Once groups are created, you can drag individual hosts from the Hosts panel into a group.

Groups may reflect functional, geographical, project-oriented, or any other organization principle that is useful. A host may belong to more than one group. Here are some examples of possible groupings:

  • Group different host types to make it easier to configure and monitor all Brokers, Decoders, or Concentrators.
  • Group hosts that are part of the same data flow; for example, a Broker, and all associated Concentrators and Decoders.
  • Group hosts according to their geographic region and location within the region. If a major power outage occurs in a location, potentially affected hosts are easily identifiable.

Create a Group

  1. Select ADMIN > Hosts.
    The Hosts view is displayed.
  2. In the Groups panel toolbar, click The Add icon.
    A field for the new group opens with a blinking cursor.
    This is an example of a new group field.
  3. Type the name of the new group in the field (for example, A New Group) and press Enter.
    The group is created as a folder in the tree. The number next to the group indicates the number of hosts in that group.
    This is an example of a new group.

Change the Name of a Group

  1. In the Hosts view Groups panel, double-click the group name or select the group and click The Edit icon.
    The name field opens with a blinking cursor.
  2. Type the new name of the group and press Enter.
    The name field closes and the new group name is displayed in the tree.

Add a Host to a Group

In the Hosts view Hosts panel, select a host and drag the host to a group folder in the Groups panel.
The host is added to the group.

View the Hosts in a Group

To view the hosts in a group, click the group in the Groups panel.
The Hosts panel lists the hosts in that group.

These are the hosts in the All group

Remove a Host from a Group 

  1. In the Hosts view Groups panel, select the group that contains the host that you want to remove. The hosts in that group appear in the Hosts panel.
  2. In the Hosts panel, select one or more hosts that you want to remove from the group, and in the toolbar, select The Delete icon> Remove fromGroup.
    The selected hosts are removed from the group, but are not removed from the NetWitness Suite user interface. The number of hosts in the group, which is listed near the group name, decreases by the number of hosts removed from the group. The All group contains the hosts that were removed from the group.
    In the following example, the host group called A New Group does not contain any hosts, since the host in that group was removed.
    This is an example of the Groups panel

Delete a Group 

  1. In the Hosts view Groups panel, select the group that you want to delete. 
  2. Click The Delete icon.
    The selected group is removed from the Groups panel. The hosts that were in the group are not removed from the NetWitness Suite user interface. The All group contains the hosts from the deleted group. 

Remove a Host

Removing a host is a host management task that you can complete in the Hosts view. Hosts View provides additional information about the host management features available in the Hosts view.

Remove a Host (Without Re-Purposing It)

Follow this procedure to remove a host that is no longer needed from the NetWitness Suite user interface along with its associated services. If you remove a host, you can no longer view the host and its associated services from within NetWitness Suite.

  1. Select ADMIN > Hosts.
  2. In the Hosts view, select a host that you want to remove, and in the toolbar, select The Delete icon> Remove Host.
    A warning dialog is displayed.
    This is the warning dialog.
  3. To remove the host, click Yes.
    The selected host and its associated services are removed and you can no longer view them from within NetWitness Suite.

Remove a Host and Repurpose

Follow this procedure when you want to completely rebuild a host. This option is only available on the Primary NetWitness Server of the host. 

  1. Select ADMIN > Hosts.
  2. In the Hosts view, select a host that you want to remove and repurpose, and in the toolbar, select The Delete iconRemove and Repurpose Host.
    A warning dialog is displayed.
    This is the warning dialog.
  3. To remove and re-purpose the host, click Yes.

Search for Hosts

You can search for hosts from a list of hosts in the Hosts view. The Hosts view enables you quickly filter the list of hosts by Name and Host. It is possible to have numerous NetWitness Suite hosts in use for various purposes. Instead of scrolling through the host list, you can quickly filter the host list to locate the hosts that you want to administer.

In the Services view, you can search for a service and quickly find the host that runs that service.

Search for a Host

  1. Select ADMIN > Hosts.
  2. In the Hosts Panel toolbar, type a host Name or Hostname in the Filter field.
    This is the unfilled Filter field.
    The Hosts panel lists the hosts that match the names entered in the Filter field.

Find the Host that Runs a Service

  1. Select ADMIN > Services.
  2. In the Services view, select a service. The associated host is listed in the Host column for that service.
    This is an example of services with hosts.
  3. To administer the host in the Hosts view, click the link in the Host column for that service. The host associated with the selected service is displayed in the Hosts view.

Execute a Task From the Host Task List

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions icon> View > System.

    Note: The Admin, Config, Orchestration, Security, Investigate, and Respond services do have access to the System view. They only have access to the Explore view.
    The System view for the service is displayed.

    This is an example of the System view for a Broker.

  3. In the Services System view toolbar, click Host Tasks.
    This is an example of the Host Task List dialog.
  4. In the Host Task List, click in the Task field to display a drop-down list of tasks that run on a host.
    This is an example of the Task drop-down menu in the Host Task List dialog.
  5. Select a task; for example, click Stop Service.
    The task is displayed in the Task field and task description, example arguments, security roles, and parameters are displayed in the Info area.
    This is an example of the Host Task List dialog with Stop Service selected.
  6. Type arguments if necessary and click Run.
    The command executes and the result is displayed in the Output section.

Add and Delete a Filesystem Monitor

When you want a service to monitor traffic on a specific file system, you can select the service and then specify the path. Security Analytics adds a filesystem monitor. Once a file system monitor is added to a service, the service continues to monitor traffic on that path until the file system monitor is deleted.

Configure the Filesystem Monitor

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions icon> View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Add Filesystem Monitor.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. To identify the file system to monitor, type the path in the Arguments field. For example:
    path=/var/netwitness/decoder/packetdb
    This is an example of the Host Task List for this procedure.
  6. Click Run.
    The result is displayed in the Output area. The service begins to monitor the file system and continues to monitor it until you delete the filesystem monitor.

Delete a Filesystem Monitor

  1. Navigate to the Host Task List dialog.
  2. In the Host Task List, select Delete Filesystem Monitor.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  3. To identify the filesystem to stop monitoring, type the path in the Arguments field. For example:
    path=/var/netwitness/decoder/packetdb
    This is an example of the Host Task List dialog for this procedure.
  4. Click Run.
    The result is displayed in the Output area. The service stops monitoring the file system.

Reboot a Host

Under certain conditions it is necessary to reboot a host; for example, after installing a software upgrade. This procedure uses a Host Task List message to shut down and restart a host. 

Security Analytics also offers other options for shutting down a host:

  • To shut down and restart a host through an attached service, go to the Hosts view from a service in the Services view (see Search for Hosts) and then follow the Shut Down and Restart a Host from the Hosts View procedure below.
  • To shut down the physical host without restarting, see Shut Down Host.

Shut Down and Restart a Host from the Hosts View

  1. Select ADMIN > Hosts.
  2. In the Hosts panel, select a host.
  3. Select The Reboot Host icon from the toolbar.

Shut Down and Restart a Host from the Host Task List

  1. Select ADMIN > Services.
  2. In the Services panel, select a service and click The Actions icon> View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Reboot Host in the Task field.
    No arguments are required.
    This is an example of the Host Task List dialog
  5. Click Run.
    The host is rebooted and the result is displayed in the Output area.

Set Host Built-In Clock

After a shutdown or battery failure, it may be necessary to set the local clock on a host. The Set Host Built-In Clock task resets the clock time.

Set the Time on the Local Clock

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and The Actions icon> View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Host Built-In Clock. Help for the task is displayed in the Info area.
  5. Enter the date and time arguments in the Arguments field; for example, to specify October 31, 2017 at 11:59:59 PM, type:
    set=20171031T235959
    This is an example of the Host Task List dialog for the procedure
  6. Click Run.
    The clock is set to the specified time and a message is displayed in the Output area.

Set Network Configuration

When a configured Core host needs its address changed, you can set a new network address, subnet mask, and gateway for the host using the Set Network Configuration message in the Host Task List

Caution: The change goes into effect immediately, and the host is disconnected from Security Analytics. You must then add the host to Security Analytics again using the new network address.

Specify the Network Address for a Host

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions icon> View System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, click Set Network Configuration.
    The task is displayed in the Task field and help is displayed in the Info area.
  5. Enter the arguments in the Arguments field. For example:
    mode=static address=192.168.0.20 netmask=255.255.255.0 gateway=192.168.0.1
    This is an example of the Host Task List dialog for this procedure
  6. Click Run.
    The task executes and the result is displayed in the Output area. The host is disconnected from Security Analytics. You must add the host again with the new address.

Note: If the mode is DHCP, there may be no way to determine the new address. You may have to connect to the host directly to determine the new address.

Set Network Time Source

When setting the clock source for a host, set the hostname or address of an NTP server to be the network clock source for the host. If the host is using a local clock source, you must specify local here to allow Set the Local Clock Source to be effective.

Specify the Network Clock Source

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions menuView > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Network Time Source.
    This is an example of the Host Task List dialog for this procedure.
  5. Do one of the following:
  • Type the hostname or address of the NTP server to serve as the clock source for this host; for example: source=tictoc.localdomain
  • If you want to use the host clock as a clock source, type:
    source=local
  1. Click Run.
    The clock source is set and a message is displayed in the Output area.

Note: If you specified a NTP clock source of local, the host clock serves as the clock source and the time is configured using Set Host Built-In Clock.

Set SNMP

Set SNMP in the Host Task List enables or disables the SNMP service on a host. In order for a host to receive SNMP notifications, the SNMP service needs to be enabled. If you are not using SNMP for NetWitness Suite notifications, it is not necessary to enable the service.

Toggle SNMP Service on the Host

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions icon> View > System
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select setSNMP.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. Do one of the following:
  • If you want to disable the service, type enable=0 in the Arguments field.
    This is an example of the Host Task List dialog for this option.
  • If you want to enable the service, type enable=1 in the Arguments field.
    This is an example of the Host Task List dialog for this option.
  1. Click Run.
    The result is displayed in the Output area.

Set Syslog Forwarding

You can configure Syslog forwarding to forward the operating system logs of your NetWitness Suite Hosts to a remote syslog server. You can use the Set Syslog Forwarding task in the Host Task List to enable or disable syslog forwarding.

Set Up and Start Syslog Forwarding

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions icon> View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Syslog Forwarding.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
    This is an example of the the Host Task List dialog for this procedure.
  5. In the Arguments field, do any one of the following.
    • To enable syslog forwarding, specify any one of the following formats:
      • host=<loghost>.<localdomain> (for example, host=syslogserver.local).
      • host=<loghost>.<localdomain>:<port> (for example, host=syslogserver.local:514).
      • host=<IP> (for example, host=10.31.244.244).
      • host=<IP>:<port> (for example, host=10.31.244.244:514).
        The following table lists the parameters used to enable syslog forwarding and its descriptions.
        ParameterDescription
        loghostThe host name of the remote syslog server.
        localdomainThe domain of the remote syslog server.
        portIP address of the remote syslog server.
        IPThe port number on which the remote syslog server receives a syslog messages.
    • To disable syslog forwarding, type host=disable.
  6. Click Run.
    The result is displayed in the Output area.

Once syslog forwarding is enabled or disabled, the /etc/rsyslog.conf file is updated automatically to enable or disable syslog forwarding to the remote syslog destination and the syslog service is restarted.

If you enable syslog forwarding, the logs from the configured service are forwarded to the defined syslog server and continues forwarding until disabled.

Note: You can now log in to the remote syslog server and verify if the messages are being received from
the NetWitness Suite services configured for syslog forwarding.

Show Network Port Status

The Show Network Port Status task in the Host Task List gives you the status of all configured ports on the host.

Display the Network Port Status

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and The Actions icon> View> System.
    The System view for the selected service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, click Show Network Port Status
    The task is displayed in the Task field, and information about the task is displayed in the Info area.
  5. To execute the task, click Run.
    The status for each port on the host is displayed in the Output area.
    This is an example of the Host Task List dialog for this procedure.

Show Serial Number

The Show Serial Number task in the Host Task List gives you the serial number of a host.

Show the Serial Number

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions icon> View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Show Serial Number.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. No arguments are required for this task. Click Run.
    The serial number of the selected host is displayed in the Output area.
    This is an example of the Host Task List dialog for this procedure.

Shut Down Host

Under certain circumstances; for example, a hardware upgrade or an extended power outage that exceeds backup power capacity, it may be necessary to shut down a physical host. When you shut down a host, all services running on the host are stopped and the physical host turns off.

The physical host does not restart automatically; instead the power switch must be used to restart the host. Once the physical host restarts, the host and services are configured to restart automatically.

Reboot a Host to start and stop a host without shutting down the host.

Shut Down the Host

  1. In the Host Task List dialog, select Shut Down Host in the Task field.
    This is an example of the Host Task List dialog for this procedure.
  2. To execute the task, click Run.
    The host shuts down, and the host turns off. 

Stop and Start a Service on a Host

The Host Task List has two options for stopping and starting a service on a host. When you stop a service using the Stop Service message, all processes of the service are stopped and users connecting to the service are disconnected. Unless there is a problem with the service, it restarts automatically. This is the same as the Shutdown Service option in the Services System view.

If a service does not restart automatically after being stopped, you can restart it manually using the Start Service message.

Stop a Service on a Host

  1. Select ADMIN > Services.
  2. In the Services grid, select a service and click The Actions icon> View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, click Stop Service.
    The task is displayed in the Task field, and information about the task is displayed in the info area.
  5. Specify the service (decoder, concentrator, broker, logdecoder, logcollector) to stop in the Arguments field; for example,
    service=decoder
    This is an example of the Host Task List dialog for this procedure.
  6. To execute the task, click Run.
    The service stops and the status is displayed in the Output area. All processes of the service are stopped and users connecting to the service are disconnected. Unless there is a problem with the service, it restarts automatically.

Start a Service on a Host

  1. In the Host Task List, select Start Service from the Task drop-down menu.
    The task is displayed in the Task field, and information about the task is displayed in the info area.
  2. Specify the service (decoder, concentrator, broker, logdecoder, logcollector) to start in the Arguments field; for example,
    service=decoder
    This is an example of the Host Task List dialog for this procedure.
  3. To execute the task, click Run.
    The service starts and the status is displayed on the Output area.

Add, Replicate or Delete a Service User

You must add a user to a service for:

  • Aggregation
  • Accessing the service with the:
    • Thick client
    • REST API

Note: This topic does not apply to users who access services through the user interface on NetWitness Server. You must add those users to the system, not a service. For details, see the Set Up a User topic in System Security and User Management.

For each service user, you can:

  • Configure user authentication and query handling properties for the service
  • Make the user a member of a role, which has a set of permissions the user receives
  • Replicate the user account to other services
  • Change the service user password on selected services

Change a Service User Password provides instructions for changing the service user password across services.

Replication and Migration Considerations

When replicating a user from a NetWitness Suite 10.5 or later service to a NetWitness Suite 10.4 service, Query Timeout migrates to Query Level based on the closest level. For example, if a user has a Query Timeout of 15 minutes, the user gets a Query Level of 3 after the migration. If a user has a Query Timeout of 35 minutes, the user gets a Query Level of 2 after the migration. If a user has a Query Timeout of 45 minutes, the user gets a Query Level of 2 after the migration.

When migrating or replicating a user from a NetWitness Suite 10.4 service to a NetWitness Suite 10.5 or later service, Query Level migrates to Query Timeout based on the following definitions:

  • Query Level 1 = 60 minutes
  • Query Level 2 = 40 minutes
  • Query Level 3 = 20 minutes

Procedures

ACCESS THE SECURITY VIEW

Each of the following procedures starts in the Services Security view.

To navigate to the Services Security view:

  1. In NetWitness Suite, go to ADMIN > Services.
  2. Select a service, then click The Actions drop-down menu > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
    This is an example of a Concentrator Security view.

Note: For NetWitness Suite 10.4 and earlier service versions, in the User Settings section, the Query Level field is displayed instead of Core Query timeout.

ADD A SERVICE USER

  1. On the Users tab, click The Add icon.
  2. Type the Username to access the service, then press Enter.
    The User Information section displays the Username and the rest of the fields are available for editing.
  3. Type the password for logging on to the service in the Password and Confirm Password fields.
  4. (Optional) Provide additional information:
  • Name for logging on to NetWitness Suite
  • Email address
  • Description of the user
  1. In the User Settings section, select the following information: 
  • Authentication Type
    • If NetWitness Suite authenticates the user, select NetWitness.
    • If Active Directory or PAM is configured on NetWitness Server to authenticate the user, select External.

Note: In 10.4 and later, trusted connections make it unnecessary to configure external user accounts on the service. All external configuration is centralized on NetWitness Server. 

  • Core Query Timeout is the maximum number of minutes a user can run a query on the service. This field applies to NetWitness Suite 10.5 and later service versions and does not appear for 10.4 and earlier versions.
  1. (Optional) Specify additional query criteria:
  • Query Prefix filters queries. Type a prefix to restrict results the user sees.
  • Session Threshold controls how the service scans meta values to determine session counts. Any meta value with a session count that is above the threshold stops its determination of the true session count.
  1. In the Role Membership section, select each role to assign to the user. When a user is a member of a role on a service, the user has the permissions assigned to the role.
  2. To activate the new service user, click Apply.

The user is added to the service immediately.

REPLICATE A USER TO OTHER SERVICES

  1. In the Users tab, select a user and click The Action drop-down menu > Replicate.
    The Replicate Users to Other Services dialog is displayed.
    This is an example of the Replicate User to Other Services dialog
  2. Enter the user's password and confirm the password.
  3. Select each service to which you are replicating the user.
  4. Click Replicate.

The user account is added to each selected service.

DELETE A SERVICE USER

  1. On the Users tab, select the Username and click The delete icon.
    NetWitness Suite requests confirmation that you want to delete the selected user.
  2. To confirm, click Yes.

The user is deleted from the service immediately.

Add a Service User Role

There are pre-configured roles in NetWitness Suite that are installed on the server and on each service. You can also add custom roles. The following table lists the pre-configured system roles and their permissions.

                                   
RolePermission
AdministratorsFull system access
OperatorsAccess to configurations but not to meta and session content
AnalystsAccess to meta and session content but not to configurations
SOC_ManagersSame access as Analysts plus additional permission to handle incidents
Malware_AnalystsAccess to malware events and to meta and session content
Data_Privacy_OfficersAccess to meta and session content as well as configuration options that manage obfuscation and viewing of sensitive data within the system (see Data Privacy Management).

You must add a service role when you have added a:

  • Service user or users that requires a new set of permissions.
  • Custom role on NetWitness Server because trusted connections require that the same custom role exists both on the server and on each service the custom role will access. The names must be identical. For example, if you add a Junior Analysts role on the server then you must add a Junior Analysts role on each service the role will access. For more information, see the Add a Role and Assign Permissions topic in System Security and User Management.

There is also a pre-configured Aggregation service role. Aggregation Role and Service User Roles and Permissions provide additional information.

Procedure

To add a service user role and assign permissions to it:

  1. In NetWitness Suite, go to ADMIN > Services.
  2. Select a service, then The Actions drop-down menu > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
  3. Select the Roles tab and click The Add icon.
    The Services Security view is displayed and five pre-configured roles are already listed. 
    This is an example of the Roles tab.
  4. Click The add icon, type the Role Name and press Enter.
    The Role Name is displayed above a list of Role Permissions.
  5. Select each permission the role will have on the service. 
  6. Click Apply.

The role is added to the service immediately. You can add service users to it in the Users tab.

Change a Service User Password

This procedure allows Administrators to change the password of a service user and replicate the new password to all Core services with that user account defined. It replicates only the password change to the Core services selected and does not replicate the entire user account. Administrators can also change the password of the admin account on the Core services.

Note: The Change Password option does not apply to external users.

To change the password of a service user:

  1. In NetWitness Suite, go to ADMIN > Services.
    The Administration Services view is displayed.
  2. Select a service, then click The actions drop-down menu > View > Security.
    The Security view for the selected services is displayed.
  3. In the Users tab, select a user and select Change Password from the actions icon.
    The Change Password dialog is displayed.
    This is an example of the Change Password dialog.
  4. Type a new password for the user and confirm the password.
  5. Select the services where you want the user password to change. 
  6. Click Change Password.
    The status of the password change on the selected services is displayed.

Create and Manage Service Groups

The Administration Services view provides options for creating and managing groups of services. The Services panel toolbar includes options for creating, editing, and deleting service groups. Once groups are created, you can drag individual services from the Services panel into a group.

Groups may reflect functional, geographical, project-oriented, or any other organization principle that is useful. A service may belong to more than one group. Here are some examples of possible groupings.

  • Group different service types to make it easier to configure and monitor all Brokers, Decoders, or Concentrators.
  • Group services that are part of the same data flow; for example, a Broker, and all associated Concentrators and Decoders.
  • Group services according to their geographic region and location within the region. If a major power outage occurs in a location, potentially affected services are easily identifiable.

Create a Group

  1. In NetWitness Suite, go to ADMIN > Services.
    The Administration Services view is displayed.
  2. In the Groups panel toolbar, click The Add icon.
    A field for the new group opens with a blinking cursor.
    This is the Groups panel with a new, unnamed group
  3. Type the name of the new group in the field (for example, A New Group) and press Enter.
    The group is created as a folder in the tree. The number next to the group indicates the number of services in that group.
    This is the Groups panel with the new group added

Change the Name of a Group

  1. In the Services view Groups panel, double-click the group name or select the group and click The edit icon. The name field opens with a blinking cursor.
  2. Type the new name of the group and press Enter.
    The name field closes and the new group name is displayed in the tree.

Add a Service to a Group

In the Services view Services panel, select a service and drag the service to a group folder in the groups panel; for example,Log Collectors.
The service is added to the group.

View the Services in a Group

To view the services in a group, click the group in the Groups panel.

The Services panel lists the services in that group.

Remove a Service from a Group 

  1. In the Services view Groups panel, select the group that contains the service that you want to remove. The services in that group appear in the Services panel.
  2. In the Services panel, select one or more services that you want to remove from the group, and in the toolbar, select The Delete icon> Remove from Group.
    The selected services are removed from the group, but are not removed from the NetWitness Suite user interface. The number of services in the group, which is listed near the group name, decreases by the number of services removed from the group. The All group contains the services that were removed from the group.
    In the following example, the service group called A New Group does not contain any services, since the service in that group was removed.
    This is an example of a group without services

Delete a Group

  1. In the Services view Groups panel, select the group that you want to delete. 
  2. Click The delete icon.
    The selected group is removed from the Groups panel. The services that were in the group are not removed from the NetWitness Suite user interface. The All group contains the services from the deleted group.

Duplicate or Replicate a Service Role

An efficient way to add a new service role is to duplicate a similar role, save it with a new name and revise the permissions that are already assigned. For example, you could duplicate the Analysts role. Then, save it as JuniorAnalysts and modify the permissions.

The quick way to add an existing role to other services is to replicate the role. For example, you could replicate the JuniorAnalysts role that exists on a broker to a concentrator and log decoder.

Each of the following procedures starts in the Services Security view.

To navigate to the Services Security view:

  1. In NetWitness Suite, go to ADMIN > Services.
  2. Select a service, then click The Actions icon > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
  3. Select the Roles tab.

Duplicate a Service Role

  1. In the Roles tab, select the role you want to duplicate.
    This is an example of the Roles tab.
  2. Click The Duplicate icon toDuplicate Role.
  3. Type a new name and click Apply.
  4. Select the new role.
  5. In the Role Permissions section, select or deselect permissions to modify what the new role can do.

The duplicated role is added to the service immediately.

Replicate a Role

  1. In the Roles tab, select the role you want to replicate and click Replicate.
  2. In the Replicate Role to Other Services dialog, select each service on which to add the role.
  3. Click Replicate.

The replicated role is added to each selected service immediately.

Edit Core Service Configuration Files

The service configuration files--for Decoder, Log Decoder, Broker, Concentrator, Archiver, and Workbench services -- are editable as text files. In the Service Config view > Files tab, you can:

  • View and edit a service configuration file that the NetWitness Suite  system is currently using.
  • Retrieve and restore the latest backup of the file you are editing.
  • Push the open file to other services.
  • Save changes made to a file.

The files available to edit vary depending upon the type of service being configured. The files that are common to all Core services are:

  • The service index file.
  • The netwitness file.
  • The crash reporter file.
  • The scheduler file. 

In addition the Decoder has files that configure parsers, feed definitions, and a wireless LAN adapter. 

Note: The default values in these configuration files are generally good for the most common situations; however, some editing is necessary for optional services, such as the crash reporter or scheduler. Only administrators with a good understanding of the networks and the factors that affect the way services collect and parse data should make changes to these files in the Files tab.

For more detail on service configuration parameters, see Service Configuration Settings.

Edit a Service Configuration File

To edit a file:

  1. In NetWitness Suite, go to ADMIN > Services.
  2. In the Services grid, select a service.
  3. Select The actions drop-down menu > View > Config.
    The Service Config view is displayed with the General tab open.
  4. Click the Files tab.
    The selected service, such as Concentrator, appears in the drop-down list on the right.
  5. (Optional) To edit a file for the host instead of the service, select Host in the drop-down list.
  6. Choose a file from the Please Select A File To Edit drop-down list.
    The file content is displayed in edit mode.
    Editable Files tab in Config view
  7. Edit the file and click Apply.

The current file is overwritten and a backup file is created. The changes go into effect after the service is restarted.

Revert to a Backup Version of a Service Configuration File

After you make changes to a configuration file, save the file, and restart the service, a backup file is available. To revert to a backup of a configuration file: 

  1. Select a configuration file by completing steps 1-6 of the Edit Service Configuration Files procedure at the beginning of this topic.
  2. Click Get Backup.
    The backup file opens in the text editor.
  3. To revert to the backup version, click Save.

The changes go into effect after the service is restarted.

Push a Configuration File to Other Services

Once you have edited a service configuration file, you can push the same configuration to other services of the same type. 

  1. Select a configuration file by completing steps 1-6 of the Edit a Service Configuration File procedure at the beginning of this topic.
  2. Click The Push icon. The Select Services dialog is displayed.
  3. Select each service to push the configuration file on it.
    Each service must be the same type as the one you selected in the Services view.

    Caution: If you decide not to push the configuration file, click Cancel.

  4. To push the configuration file to all selected services, click OK.

The configuration file is pushed to all selected services. 

CONFIGURE THE TASK SCHEDULER

Scheduler File

You can edit the scheduler file that in the Service Config view > Files tab. This file configures the built-in task scheduler for a service. The task scheduler can automatically send messages at predefined intervals or specific times of the day.

Scheduler Task Syntax

A task line in the scheduler file consists of the following syntax, where <Value> has no spaces:

<ParamName>=<Value>

if <Value> has any spaces, this is the syntax:

<ParamName>="<Value>"

In each task line, these guidelines apply:

  • Parameter time or one of the interval parameters (secondsminutes or hours) is required.
  • Escape special characters with a \ (backslash).

Task Line Parameters

The following task line parameters are accepted by the scheduler.

                                                       
SyntaxDescription
daysOfWeek: <string, optional, {enum-any:sun|mon|tue|wed|thu|fri|sat|all}>The days of week to execute a task. The default value is all.
deleteOnFinish: <bool, optional>Delete the task when it has successfully finished.
hours: <uint32, optional, {range:1 to 8760}>The number of hours between executions.
logOutput: <string, optional>Output the response to log using the specified module name.
minutes: <uint32, optional, {range:1 to 525948}>The number of minutes between executions.
msg: <string>The message to send the node.
params: <string, optional>The parameters for the message.
pathname: <string>The path of the node that receives the message.
seconds: <uint32, optional, {range:1 to 31556926}>The number of seconds between executions.
time: <string>The time of execution in HH::MM:SS format (local time of this server).
timesToRun: <uint32, optional>How many times to run since service start, 0 = means unlimited (default).

Messages

The following are the message strings to use in the Task Scheduler msg parameter.

                                 
MessageDescription
addInterAdd a task to run at a defined interval. For example, this message runs the /index save command every 6 hours:

addInter hours=6 pathname=/index msg=save
addMil
 
Add a task to run at a specific time of day or even day(s) of the week. For example, this message runs the /index save command at 1AM every business day:
addMil time= 01:00:00 pathname=/index
msg=save daysOfWeek=mon,tue,wed,thu,fri
delSchedDeletes an existing scheduled task. The id parameter of the task must be retrieved from the print message.
printPrints all scheduled tasks.
replaceAssign all scheduled tasks in one message, deleting any existing tasks.
saveTell a node to save

Sample Task Line

The  following example task line in the scheduler file downloads the feeds package file (feeds.zip) to the selected Decoder every 120 minutes from the feeds host server:

minutes=120 pathname=/parsers msg=feed params="type\=wget file\=http://feedshost/nwlive/feeds.zip"

EDIT A SERVICE INDEX FILE

This topic provides important information and guidelines for configuring service custom index files, which are editable in the Service Config view > Files tab.

The index file, along with other configuration files, controls operation of each Core service. Accessing the index file through the  Service Config view in NetWitness Suite opens the file in a text editor, where you can edit the file.

Note: Only Administrators with a thorough and comprehensive understanding of Core service configuration are qualified to make changes to an index file, which is one of the central configuration files for the appliance service. Changes made should be consistent across all Core services. Invalid entries or a misconfigured file can prevent the system from starting and can require the assistance of RSA Support to bring the system back into a working state.

These are the index files: 

  • index-broker.xml, and index-brokercustom.xml
  • index-concentrator.xml, and index-concentrator‐custom.xml
  • index-decoder.xml, and index-decodercustom.xml
  • index-logdecoder.xml, and index-logdecodercustom.xml
  • index-archiver.xml, and index-archiver‐custom.xml
  • index-workbench.xml, and index-workbench‐custom.xml

Index and Custom Index Files

All customer-specific index changes are made in index-<service>-custom.xml. This file overrides any settings in index-<service>.xml, which is solely controlled by RSA. 

Note: Customers using NetWitness Suite versions prior to 10.1 had to customize index files by editing and saving the index file, and this method relied on NetWitness Suite creating a backup of the current index file upon restart of the service. Using this process, the current file is overwritten and a backup file is created. The toolbar option provides a way to revert to a backup version of the index file.
During software upgrades, index-<service>.xml is not preserved, as it is overwritten by any changes made by the RSA content team. However, a backup is made in the same directory and named index-<service>.xml.rpm_pre_save. The index-<service>.xml.rpm_pre_save file can be referenced if needed to create the customer-specific index-<service>-custom.xml file, which needs to be done only once. Going forward, the new system allows RSA to make index changes without modifying existing customer specific changes. 

The custom index file, index-<service>‐custom.xml, allows creation of custom definitions or overrides of your own language keys that are not overwritten during the upgrade process.

  • Keys that are defined in index-<service>‐custom.xml replace the definitions found in index-<service>.xml.
  • Keys that are added to index-<service>custom.xml and not found in index‐<service>.xml are added to the language as a new key.

Some common applications for editing the index file are:

  • To add new custom meta keys to add new fields to the NetWitness Suite user interface.
  • To configure protected meta keys as part of a data privacy solution as described in the Data Privacy Management guide.
  • To adjust the NetWitness Suite Core database query performance as described in the NetWitness Suite Core Database Tuning Guide.

Note: For NetWitness Suite 10.1 and above, there is no need to edit the Broker custom index file, except for data privacy deployment scenarios and system roles. The Broker automatically merges the keys of all aggregate services to create a comprehensive language. The fallback language defined in index‐broker.xml and indexbroker-custom.xml is used if there are no services or if all services are offline.

Caution: Never set the index level to IndexKeys or IndexValues on a Decoder if you have a Concentrator or Archiver aggregating from the Decoder. The index partition size is too small to support any indexing beyond the default time meta key.

ENABLE CRASH REPORTER SERVICE

The Crash Reporter is an optional service for NetWitness Suite services. When activated for any of the core services, the Crash Reporter automatically generates a package of information to be used for diagnosing and solving the problem that resulted in the service failure. The package is automatically sent to RSA for analysis. The results are forwarded to RSA support for any further action.

The information package sent to RSA does not contain captured data. This information package consists of the following information:

  • Stack trace
  • Logs
  • Configuration settings
  • Software version
  • CPU information
  • Installed RPMs
  • Disk geometry

The Crash Reporter crash analysis can be activated for any Core product. 

The crashreporter.cfg File

One of the files available for editing in the Service Config view > Files tab is crashreporter.cfg, the Crash Reporter Client Server configuration file.

This file is used by the script that checks, updates, and builds crash reports on the host. The list of products to monitor can include Decoders, Concentrators, hosts, and Brokers.

This table lists the settings for the crashreporter.cfg file.

                                                                                                           
SettingDescription
applicationlist=decoder, concentrator, hostDefine the list of products to monitor.
sitedir=/var/crashreporterLocation of the site directory for the report.
webdir=/usr/share/crashreporter/WebLocation of the web directory.
devdir=/var/crashreporter/DevLocation of the development directory.
datadir=/var/crashreporter/dataLocation of the directory storing data files.
perldir=/usr/share/crashreporter/perlLocation of the perl files.
bindir=/usr/share/crashreporter/binLocation of the binary executables.
libdir=/usr/share/crashreporter/libLocation of the binary libraries.
cfgdir=/etc/crashreporterLocation of the configuration files.
logdir=/var/log/crashreporterLocation of the log files.
scriptdir=/usr/share/crashreporter/scriptsLocation of the directory containing scripts.
workdir=/var/crashreporter/workLocation of the process work directory.
sqldir=/var/crashreporter/sqlLocation where created sql files are placed.
reportdir=/var/crashreporter/reportsLocation where temporary reports are created.
packagedir=/var/crashreporter/packagesLocation of the created package files.
gdbconfig=/etc/crashreporter/crashreporter.gdbLocation of the gdb configuration file.
corewaittime=30Define the number of seconds to wait after finding a core in order to determine if the core is still being written.
cyclewaittime=10Define the number of minutes to wait between search cycles
deletecores=1Specify if the core files should be deleted after report.

0 = No
1 = Yes

NOTE: Until the core file is deleted, it is reported each time crashreporter is restarted.
deletereportdir=1Specify if the report directory should be deleted after the report. Useful in order to view core reports on box.

0 = No
1 = Yes

NOTE: If not deleted, the directory will be included in each subsequent package.
debug=1Specify whether debugging messages are turned on or off in the crashreporter logging output.

0 = No
1 = Yes
posturl=https://www.netwitnesslive.com/crash...ter/submit.phpDefine the webserver post url.
postpackages=0Specify if the packages should be posted to the webserver.

0 = No
1 = Yes
deletepackages=1Specify if packages should be deleted after they are posted to webserver.

0 = No
1 = Yes

Configure the Crash Reporter Service

To configure the Crash Reporter service:

  1. Select ADMIN > Services.
  2. Select a service then click The Actions icon > View > Config.
  3. Select the Files tab.
  4. Edit crashreporter.cfg.
  5. Click Save.
  6. To display the Service System view, select Config > System.
  7. To restart the service, click The shutdown service icon.
    The service shuts down and restarts.

Start and Stop the Crash Reporter Service

To start the Crash Reporter Service:

  1. Select ADMIN > Services.
  2. Select a service and click The Actions icon > View > System.
  1. In the toolbar, click Host Tasks.
    The Host Task List is displayed.
  2. In the Task drop-down list, select Start Service.
  3. In the Arguments field, type crashreporter, then click Run
    This is an example of the Host Task List dialog for this procedure.

The Crash Reporter service is activated and remains active until you stop it.

To stop the Crash Reporter service, select Stop Service from the Task drop-down list.

MAINTAIN THE TABLE MAP FILES

The table mapping file provided by RSA, table-map.xml, is a very significant part of the Log Decoder. It is a meta definition file which also maps the keys used in a log parser to the keys in the metadb. 

Do not edit the table-map.xml file. If you want to make changes to the table-map, make them in the table-map-custom.xml file. The latest table-map.xml file is available on Live and RSA updates it as required. If you make changes to the table-map.xml file, they can be overwritten during an upgrade of service or content.

In the table-map.xml, some meta keys are set to Transient and some are set to None. To store and index a specific meta key, the key must be set to None. To make changes to the mapping, you need to create a copy of the file named table-map-custom.xml on the Log Decoder and set the meta keys to None.

For meta key indexing:

  • When a key is marked as None in the table-map.xml file in the Log Decoder, it is indexed.
  • When a key is marked as Transient in the table-map.xml file in the Log Decoder, it is not indexed. To index the key, copy the entry to the table-map-custom.xml file and change the keyword flags="Transient" to flags="None".
  • If a key does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file in the Log Decoder.

Caution: Do not update the table-map.xml file because an upgrade can overwrite it. Add all of the changes that you want to make to the table-map-custom.xml file.

Prerequisites

If you do not have a table-map-custom.xml file on the Log Decoder, create a copy of table-map.xml and rename it to table-map-custom.xml.

Procedure

To verify and update the table mapping file:

  1. Go to ADMINServices.
  2. In the Services grid, select a Log Decoder and click The Actions icon > View > Config.
  3. Click the Files tab and select the table-map.xml file.
    This is an example of the Files tab with the relevant line highlighted.
  4. Verify that the flags keywords are set correctly to either Transient or None.
  5. If you need to change an entry, do not change the table-map.xml file. Instead, copy the entry, select the table-map-custom.xml file, find the entry in the table-map-custom.xml file and change the flags keyword from Transient to None.
    For example, the following entry for the hardware.id meta key in the table-map.xml file is not indexed and the flags keyword shows as Transient:
    <mapping envisionName="hardware_id" nwName="hardware.id" flags="Transient"/>
    To index the hardware.id meta key, change the flags keyword from Transient to None in the table-map-custom.xml:
    <mapping envisionName="hardware_id" nwName="hardware.id" flags="None"/>
  6. If an entry does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file.
  7. After making your changes to the table-map-custom.xml file, click Apply.

Caution: Before changing the table mapping files, carefully consider the effect of changing the index from Transient to None since it can impact the available storage and performance of the Log Decoder. For this reason, only certain meta keys are indexed out of the box. Use the table-map-custom.xml file for different use cases.

Edit or Delete a Service

You can edit service settings, such as changing the host name or port number, or delete a service that you no longer need.

Each of the following procedures starts in the Services view.

To navigate to the Services view, in NetWitness Suite, go to ADMIN > Services.

This is the Services view.

Procedures

EDIT A SERVICE

  1. In the Services view, select a service and click The Edit icon or The Actions drop-down menu> Edit.
    The Edit Service dialog is displayed. It shows only the fields that apply to the selected service.
    This is the Edit Service dialog
  2. Edit the service details by changing any of the following fields:
    • Name
    • Port - Each core service has two ports, SSL and non-SSL. For trusted connections, you must use the SSL port.
    • SSL - For trusted connections, you must use SSL. 
    • Username and Password - Use these credentials to test the connection to a service.
      1. If you use a trusted connection, delete the username.
        If you do not use a trusted connection, type a username and password.
      2. Click Test Connection.
  3. (Optional) If the service requires a license select Entitle Service. This option is displayed only for services that require a license.
  4. Click Save.

The changes take effect immediately.

DELETE A SERVICE

  1. In the Services view, select one or more services and click The Delete icon or The actions drop-down menu > Delete.
  2. A dialog requests confirmation. To delete the service, click Yes.

The deleted service is no longer available to NetWitness Suite  modules. 

Explore and Edit Service Property Tree

You have advanced access and control of service functionality in the Services Explore view, which consists of two parts. The Node list displays service functionality in a tree structure of folders. The Monitor panel displays properties of the folder or file selected in the Nodes list.

Each of the following procedures starts in the Explore view.

To navigate to the Explore view:

  1. In NetWitness Suite, go to ADMIN > Services.
  2. Select a service, then select The Actions drop-down menu  > View > Explore.
    The Explore view is displayed. The Node list is on the left and the Monitor panel is on the right.
    This is an example of the Explore view

Procedures

DISPLAY OR EDIT A SERVICE PROPERTY

To display a service property:

  1. Right-click a file in the Node list or Monitor panel.
  2. Click Properties.

To edit the value of a service property:

  1. In the Monitor panel, select an editable property value.
  2. Type a new value. 

SEND A MESSAGE TO A NODE

  1. In the Properties Dialog select a message type. Options vary according to the file selected in the Node list.
    A description of the selected message type is displayed in the  Message Help field.
  2. (Optional) If the message requires them, type the Parameters
  3. Click Send.
    The value or format is displayed in the Response Output field.

Kill a Connection to a Service

You can view sessions that are running on a service in the Service System view. From within the list of sessions, you can end the session and end active queries in a session.

End a Session on a Service

  1. In NetWitness Suite, go to ADMIN > Services.
    The Admin Services view is displayed.
  2. Select a service, and select The Actions icon   > View > System.
    The Service System view is displayed.
    This is an example of the Service System view
  3. In the Session Informationgrid at the bottom, click a session-number.
    The following confirmation dialog is displayed.
    This is the Kill Session confirmation dialog
  4. Click Yes.

The session ends and is removed from the grid.

End an Active Query in a Session

  1. Scroll down to the Sessions grid.
  2. In the Active Queries column, click a non-zero count of active queries for a session. You cannot click on it if there are 0 active queries.
    The Active Queries dialog is displayed.
    This is an example of the Active Queries dialog
  3. Select a query and click Cancel Query.
    The query stops and the Active Queries column is updated.

Search for Services

You can search for services from the list of services in the Services view. The Services view enables you quickly filter the list of services by Name, Host, and Service Type. You can use the Filter drop-down menu and the Filter field separately or at the same time to filter the Services view. 

In addition to being able to locate the services for a host in the Services view, you can also quickly find the services that run on a host in the Hosts view.

Search for a Service

  1. In NetWitness Suite, go to ADMIN> Services.
  2. In the Services panel toolbar, type a service Name or Host in the Filter field.
    This is the Filter field.

    The Services panel lists the services that match the names entered in the Filter field. The following example shows the search results after starting to type log in the filter field.
    This is the Services panel with two results matching a search for log

Filter Services by Type

  1. In NetWitness Suite, go to ADMIN > Services.
  2. In the Services view, click The Filter icon and select the service types that you would like to appear in the Services view.


    The selected service types appear in the Services view. The following example shows the Services view filtered for Concentrator and Log Decoder.

    This is the Services panel filtered for Concentrator and Decoder.

Find the Services on a Host

In addition to being able to locate the services for a host in the Services view, you can also quickly find the services that run on a host in the Hosts view. 

  1. In NetWitness Suite, go to ADMIN > Hosts.
  2. In the Hosts view, select a host and click the box that contains a number (the number of services) in the Services column.
    A list of the services on the selected host is displayed.

In the following example, a list of three services on the selected host are listed after clicking the box containing the number 3.
The is an example of the dialog that appears when you click the service count

  1. You can click the service links to view the services in the Services view.

Start, Stop or Restart a Service

These procedures apply to core services only.

Each of the following procedures starts in the Services view. In NetWitness Suite, go to ADMIN > Services.

Start a Service

Select a service and click The Actions drop-down menu > Start.

Stop a Service

When you stop a service, all of its processes stop and active users are disconnected from it.

To stop a service:

  1. Select a service and click The Actions drop-down menu > Stop.
  2. A dialog requests confirmation. To stop the service, click Yes.

Restart a Service

Occasionally, you have to restart a service for changes to take effect. When you change a parameter that requires a restart, NetWitness Suite  displays a message.

To restart a service:

  1. Select a service and click The Actions drop-down menu > Restart.
  2. A dialog requests confirmation. To stop the service, click Yes.

The service stops, then restarts automatically.

View Service Details

You can view and edit information about services using options in the View menu for a service.
This is the service View menu

Purpose of Each Service View

Each view displays a functional piece of a service and is described in detail in its own section:

  • System View shows a summary of service, appliance service, host user, license, and session information.
  • Services Stats View provides a way to monitor service operations and status. 
  • Services Config View is for configuring all aspects of a service. 
  • Services Explore View is for viewing and editing host and service configurations.
  • System Logging Panel shows service logs that you can search. 
  • Services Security View is a way to add Security Analytics Core user accounts for aggregation, thick client users, and REST API users.

Access a Service View

To access a view for a service:

  1. In NetWitness Suite, go to ADMIN > Services
  2. Select a service and click The Actions menu > View.
    The View menu is displayed.
    This is the View menu
  3. From the options on the left, select a view.
    This is a System view for a Broker.
    This is an example of the System view
  4. Use the toolbar to navigate:
    This is the service toolbar
    1. Click Change Service to select another service.
      The Administrate Service dialog is displayed.
    1. Select the checkbox to the left of the service that you want.
    2. Select the view that you want for the service you selected in the View drop-down menu.
      This is the View menu
      The new view (for example Stats) is displayed for the service you selected.

 

You are here
Table of Contents > Hosts and Services Procedures

Attachments

    Outcomes