Host GS: The Basics

Document created by RSA Information Design and Development on Feb 8, 2018Last modified by RSA Information Design and Development on Sep 12, 2018
Version 5Show Document
  • View in full screen mode
 

This guide gives administrators the standard procedures for add and configure hosts and services in NetWitness Platform. After introducing you to the basic purpose of hosts and services and how they function within in the NetWitness Platform network, this guide covers:

  • Tasks you must complete to set up hosts and services in your network
  • Additional procedures that you complete based on the long-term and daily, operational needs of your enterprise
  • Reference topics that describe the user interface

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

What Is a Host

A host is the machine on which a service runs and can be a physical or virtual machine. See the "NetWitness Platform Detailed Host Deployment Diagram" in the NetWitness PlatformDeployment Guide for an illustration of how host are deployed.

What Is a Host Type

A host type assigns a service or services to a host when you install a host from the Hosts view. You choose a Host Type in the Install Services dialog which is displayed when you select a host in the Hosts view and click . The following table lists each host type and the services it installs. See the "NetWitness Platform Detailed Host Deployment Diagram" in the NetWitness Platform Deployment Guide for an illustration of how host are deployed.

                                                                           
Host TypeServices Installed

Archiver

Workbench and Archiver

Broker

Broker

Cloud Gateway

Cloud Gateway

Concentrator

Concentrator

Endpoint Hybrid

Log Decoder, Endpoint, and Concentrator

Endpoint Log Hybrid

Log Collector, Log Decoder, Endpoint, and Concentrator

ESA Primary

Context Hub, Entity Behavior Analysis, and Event Stream Analysis

ESA Secondary

Event Stream Analysis, and Entity Behavior Analysis

Log Collector

Log Collector

Log Decoder

Log Collector and Log Decoder

Log Hybrid

Log Collector, Log Decoder, and Concentrator

Malware Analysis

Malware Analysis and Broker

Network Decoder

Decoder (Packets)

Network Hybrid

Concentrator and Decoder

UEBA

UEBA

Warehouse Connector

Warehouse Connector

What Is a Service

A service performs a unique function, such as collecting logs or archiving data. Each service runs on a dedicated port and is modeled as a plug-in to enable or disable, according to the function of the host.

You must configure the following core services first: 

  • Decoder
  • Concentrator
  • Broker
  • Log Decoder

All the services are listed below and each service except the Log Collector has its own guide or shares a guide in the Host and Services Configuration Guides. The Log Collector has its own set of configuration guides to handle the configuration for all the supported event collection protocols. For Log Collector information, see Log Collection Guides.

                                                                                                                                                                     
ServiceUnencrypted
Non-SSL Port
Encrypted
SSL Port
Notes

Admin

N/A

N/A

Implemented with the NW Server

Archiver5000856008

 

Broker5000356003Core Service

Cloud Gateway

N/AN/A

 

Concentrator5000556005Core Service
Config N/AN/AImplemented with the NW Server.

Content

N/A

N/A

Implemented with the NW Server

Context HubN/AN/A

 

Decoder (Packets)5000456004Core Service

Endpoint

N/A

N/A

 

Entity Behavior AnalysisN/AN/A 
Event Stream AnalysisN/A50030

 

Integration

N/AN/AImplemented with the NW Server.
InvestigateN/AN/AImplemented with the NW Server.
Log Collector5000156001 
Log Decoder5000256002

Core Service

Malware AnalysisN/A60007 
OrchestrationN/AN/AImplemented with the NW Server.
Reporting EngineN/A51113Implemented with the NW Server.

Respond

N/AN/AImplemented with the NW Server.

Security

N/AN/AImplemented with the NW Server.

Source

N/A

N/A

Implemented with the NW Server

UEBA

N/A

N/A

 

Warehouse Connector5002056020

 

Workbench5000756007 

You must configure hosts and services to communicate with the network and each other so they can perform their functions such as storing or capturing data. 

Setting Up a Host

You use the Hosts view to add a host to NetWitness Platform.  See Step 1. Deploy a Host for detailed instructions.

Maintaining Hosts

You use the main ADMIN > Hosts view to add, edit, delete, and perform other maintenance tasks for the hosts in your deployment. You use the Task List dialog to perform tasks relating to a host and its communications with the network. See Hosts and Services Procedures for detailed instructions.

After initial implementation of NetWitness Platform, the major task you perform from the Hosts view is updating your NetWitness Platform deployment to a new version.

Update Version Naming Convention

You use the Hosts view to apply the latest version updates from your Populate Local Update Repository. You must understand the update version naming convention to know which version you want to apply to the host. The naming convention is major-release.minor-release.service-pack.patch. For example, if you choose 11.6.1.2, you apply the following version to the host.

  • 11 = major release
  •   6 = minor release
  •   1 = service pack
  •   2 = patch

NetWitness Platform supports multiple versions in your deployment. The NetWitness Server (NW Server Host) is updated first and all other hosts must have the same or earlier version as the NW Server Host.

The following example is a single version deployment with all hosts updated to 11.2.0.0 (latest RSA release available).

Maintaining Services

You use the ADMIN > Services view to add, edit, delete, monitor, and perform other maintenance tasks for the services in your deployment. See Hosts and Services Procedures for detailed instructions.

Services Implemented with the NetWitness Server

The services in the following table are implemented when you deploy the NW Server to support:

  • the expansion of physical and virtual deployment platforms and improvements to host and service maintenance.
  • Content, Investigate, Respond, and Source functionality.

Caution: You do not need to configure these services to deploy NetWitness Platform. RSA recommends that you monitor the operating status of these services using Health-and-Wellness. Do not attempt to modify the parameters in the Explore view without contacting Customer Support (https://community.rsa.com/docs/DOC-1294).

                                               
ServicePurpose
Admin

The Administration Server (Admin server) is the back-end service for administrative tasks in the NetWitness Platform User Interface (UI). It abstracts authentication, global preferences management, and authorization support for the UI. The Admin server requires the Config server and the Security server to be online to perform its role.

Config

The Configuration Server (Config server) stores and manages configuration sets. A configuration set is any logical configuration group that is managed independently. The Config server facilitates the sharing of properties among services, provides configuration backup and restore facilities, and tracks changes to properties.

Content

The Content server manages the RSA provided and user created parser rules. For more information on parser management search for "parsers" in RSA Link.

Integration

The Integration Server manages interactions with external systems. The service handles the following outbound or inbound channels.

  • REST API Gateway - gateway to external REST clients that assigns calls to the NetWitness Application Programming Interface (API).
  • Notifications Dispatcher - centralized dispatcher for all outbound notifications originating in the NetWitness deployment.
InvestigateThe Investigate server supports Investigate and Malware Analysis functionality. For more information see the NetWitness Platform Investigate and Malware Analysis User Guide.
Orchestration The Orchestration server provisions, installs, and configures all services in your NetWitness Platform deployment.

Respond

The Respond server supports Respond functionality. For more information see the NetWitness Platform Respond Configuration Guide.

Security

The NetWitness Platform Security Server (Security server) manages the security infrastructure of a NetWitness Platform deployment. It handles the following security-related concerns.

  • Users and the authentication accounts
  • Role Based Access Control (RBAC)
  • Deployment PKI infrastructure

A NetWitness Platform deployment has users with authentication accounts. Independent of how you verify the identity of the analyst (for example, Active Directory), NetWitness Platform must maintain user state that is not provided by all authentication providers (for example, last login time, failed login attempts, and roles). The concept of a user is separate from the identify associated with the user and the Security server maintains these as separate User and Account entities. In addition to the out-of-the-box local NetWitness accounts available to all NetWitness deployments, the server supports external authentication providers.

The Security server also implements RBAC by managing Role and Permission entities. Permissions can be assigned to roles and roles to users. Together these enable a flexible authorization policy for the deployment. The server also manages generation of cryptographically secure tokens that encode the applicable authorization for a user. These tokens form the basis for deployment wide authorization.

Source

The Source server is reserved for future use and will provide a centralized location to configure sources (for example, Endpoints and Log Sources).

Running in Mixed Mode

Mixed mode occurs when some services are updated to the latest version and some are still on older versions. This happens when you update the hosts in your deployment to the latest version in phases (or stagger the update).

Functionality Gaps Encountered During in Staggered Updates

If you stagger the update, you:

  • May not have all the features operational until you update your entire deployment.
  • Will not have service administrative features available until you update all the hosts in your deployment.
  • May be without data capture for a period of time.

Examples of Staggered Updates

In the following examples, all the hosts are on 11.2.0.x and you want to stagger the host updates to version 11.2.1.0.

Example 1. Multiple Decoders and Concentrators, Alternative 1

In this example, the 11.2.0.x deployment includes one NW Server host, two Decoder hosts, two Concentrator hosts, one Archiver host, one Broker host, one Event Stream Analysis host, and one Malware Analysis host.

You must complete Phase 1 first and update the hosts in the order listed for Phase 1.

RSA recommends that you update the Phase 2 hosts in the order listed for Phase 1

Phase 1 - session 1

  1. Update the NetWitness Server host.
  2. Update the Event Stream Analysis host.
  3. Update the Malware Analysis host.
  4. Update the Broker or Concentrator host.

Phase 2 - session 2

  1. Update 2 Decoder hosts.
  2. Update 2 Concentrator hosts and Archiver host.

Phase 2 - session 3

  1. Update all other hosts.

Example 2. Multiple Decoders and Concentrators, Alternative 2

In this example, the 11.2.0.x deployment includes one NW Server host, two Decoder hosts, 2two Concentrator hosts, one Broker host, one Event Stream Analysis host, and one Malware Analysis host. RSA recommends that you update the Phase 2 hosts the following sequence (you must complete Phase 1 first and update the hosts in the order listed).

Phase 1 - session 1

  1. Update the NetWitness Server host.
  2. Update the Event Stream Analysis host.
  3. Update the Malware Analysis host.
  4. Update the Broker host.

Phase 2 - session 2

  1. Update one Decoder host and one Concentrator host.
    Time elapses during which NetWitness Platform processes a significant amount of data.

Phase 2 - session 3

  1. Update one Decoder host, one Concentrator host, and the Broker host.
  2. Update all Log Decoder hosts before you update Virtual Log Collectors.

  3. Update all other hosts.

Example 3. Multiple Regions

In this example, the 11.2.0.x deployment includes one NW Server host, one Event Stream Analysis host, one Malware Analysis host, four Decoder hosts, four Concentrator hosts, two Broker hosts, (two sites, each with two Decoders, two Concentrators, and one Broker).

Phase 1 - Update Site 1

  1. Update the NW Server host.
  2. Update the Event Stream Analysis host.
  3. Update the Malware Analysis host.
  4. Update one Broker host, two Decoder hosts, and two Concentrator hosts.
  5. Update all the other hosts.

Phase 2 - Update Site 2

  1. Update the Broker hosts.
  2. Update two Decoder hosts.
  3. Update two Concentrator hosts.
  4. Update all the other hosts.

 

You are here
Table of Contents > Hosts and Services Basics

Attachments

    Outcomes