UPDATED 2-1-2017 to Version 0.4
1-20-2017 (0.2) : Added capability to auto-populate all appliance IP addresses. Substitute "autoiplist" rather than
user defined iplist. See help for more information. Also fixed help file (previous typo). Removed prompts.
1-27-2017 (0.3): Added a number of SDK checks. Changed the logic on how it identifies the server type, added a size check for VolGroup00. If it shows up as 29.XX GB and your appliance is an R620, you're likely still utilizing the SD cards as part of the OS. Also added a check showing currently free memory.
2-1-2017 (0.4): Added DRAC Firmware version check
I've worked with dozens of Security Analytics instances and have found myself repeatedly compiling the same information, usually relating to basic asset inventory, configuration information and simple health checks. In order to expedite this process, I've created a simple shell script that will log into each appliance in an environment, pull important information and aggregate it all into a csv file for easy reference. The nice thing about this script is that it obtains many of the important configuration items without needing to log into REST or perform NwConsole commands.
- List of IP addresses or Hostnames of all SA Appliances (virtual or physical) - List needs to be one IP/Host per line. This step can now be skipped by using the "autoiplist" option (see below)
- Key exchange between Host where script is installed and SA Appliances - This is optional, but will make things go much faster. If this hasn't been setup, you'll just be prompted for the Host OS username (usually root) for each appliance the script is connecting to
- For more information on how to set this up, see the following links:
- A Linux host to run the script from that can connect to all the SA appliances defined in the IP List (I frequently use the SA Server Host)
- Copy the attached SA_Enviro_Check.sh script to your host
- Make it executable
- chmod +x SA_Enviro_Check.sh
- Ensure the md5sum matches the following:
[root@NW-GUI new]# md5sum SA_Enviro_Check.sh
This Script is used to generate a comma-delimited inventory of a Security Analytics Environment while also
compiling several important configuration items per appliance.
IMPORTANT: This script functions best when key exchange has been performed between the SA Server and the
Appliances. If not, it will prompt for a password for each appliance in the IP List
-h : This help file
-v : version information
-a : Generates a list of all currently enabled appliance IPs and quits. File will be named "all_appliance_ips.out"
-p : when this option is used, all arguments must be passed in the proper order. if the user chooses "autoiplist" rather than defining a set list of ips (see EX2), all appliances connected to the NW GUI will be examined. The arguments must be passed in the following order:
EX: ./SA_Enviro_Check.sh -p <username> <iplist> </output/path/filename.csv> </output/path/logfile.log>
EX2: ./SA_Enviro_Check.sh -p <username> autoiplist </output/path/filename.csv> </output/path/logfile.log>
What the script gathers and where it comes from:
|Date Checked||date command|
|IP Address||hostname command|
|Booting Kernel||uname -r|
|Installed Kernels||rpm -qa|
|Puppet Node ID||/var/lib/puppet/node_id|
|Services Installed||rpm -qa|
|Local Accounts per Service||/etc/netwitness/ng/Nw*.cfg files|
|Max Concurrent Queries Per Service||/etc/netwitness/ng/Nw*.cfg files|
|Max Pending Queries||/etc/netwitness/ng/Nw*.cfg files|
|Parallel Query||/etc/netwitness/ng/Nw*.cfg files|
|Parallel Value||/etc/netwitness/ng/Nw*.cfg files|
|Query Parse||/etc/netwitness/ng/Nw*.cfg files|
|Cache Window Minutes Per Service||/etc/netwitness/ng/Nw*.cfg files|
|DRAC Firmware Version||ipmitool|
|PFring Version||rpm -qa|
|Capture Autostart||/etc/netwitness/ng/Nw*.cfg files|
|Capture Interface||/etc/netwitness/ng/Nw*.cfg files|
|Capture Device Params||/etc/netwitness/ng/Nw*.cfg files|
|Aggregating Devices||/etc/netwitness/ng/Nw*.cfg files|
|Aggregate Autostart||/etc/netwitness/ng/Nw*.cfg files|
|Aggregate Hours||/etc/netwitness/ng/Nw*.cfg files|
|Aggregate Interval||/etc/netwitness/ng/Nw*.cfg files|
|Aggregate Max Session||/etc/netwitness/ng/Nw*.cfg files|
|Active App Rules||/etc/netwitness/ng/Nw*.cfg files|
|Active Correlation Rules||/etc/netwitness/ng/Nw*.cfg files|
|Installed Feeds||deduplicated files in /etc/netwitness/ng/feeds|
|Custom Index Entries|
cleaned index-*-custom.xml files
vgs (volume group scan)
|Meta DIR Mounts||/etc/netwitness/ng/Nw*.cfg files|
|Packet DIR Mounts||/etc/netwitness/ng/Nw*.cfg files|
|Session DIR Mounts||/etc/netwitness/ng/Nw*.cfg files|
|Save Session Cound||/etc/netwitness/ng/Nw*.cfg Files|
|Index DIR Mounts||/etc/netwitness/ng/Nw*.cfg files|
Index Slices Open /etc/netwitness/ng/Nw*.cfg files
- The script has not been tested against Malware Appliances, does not work with WLCs (Windows Based) and will retrieve less information from ESAs due to their architecture differences.
- This script is beta, if you notice some information does not look correct, please let me know.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.