This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
DevarajMohan1
New Contributor
New Contributor
‎2020-03-24 11:50 PM

Bulk Data Export From RSA Netwitness Archiver

Hi Team,

 

Currently we using RSA Netwitness 11.3.1.1 in our organization. So we have archiver which is deployed for log retention. At present we having 5 months of log data stored in archiver. We have the below requirement.

 

1) Management is asking 3 months of log data from archiver in human readable format lets say in .log or .csv format. Kindly suggest us on this. We haven't configured any aggregation polices on archiver for data collection. By default all the log data s are get aggregated.

2) If log data export is not possible what is the mechanism to read the archiver data ? Is there any component we need to deploy for reading archiver data ?

 

Looking forward for response.

 

Regards,

Devaraj

Counsultant (Cognitive SOC)

Inspirisys Solutions Limited, India.

Labels (1)
Labels
0 Likes
Reply
4 Replies
sravan.koneti
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2020-03-27 01:36 AM

Devaraj Mohan‌,

 

Try https://community.rsa.com/docs/DOC-45813 by replacing the archiver details and port 50008

 

0 Likes
Reply
MarcoDemonte1
Beginner
Beginner
‎2020-03-31 11:35 AM

Hello Devaraj,

 

probably the best way is to use Reports.

If you extract raw data from the archiver, you will have the logs as they are produced by the log sources. I don't think that the managment is interested in those data.

Quite the opposite with reports where (for example) you can choose the data sources (device.type) and include some useful meta.key (user.dst or ip.src) as long as the log itself (msg)

The output could be pdf or csv. It depends on the ampount of data but you can use Excel for some csv.

 

If you really really really need to extract all the raw logs, I had a similar need in the past and I successfully used the sdk command from the archiver nwconsole. It is the third method mentioned by Sravan and that guide explains it very well.

I hope I've been of some help.

 

kind regards

Marco

0 Likes
Reply
DevarajMohan1
New Contributor
New Contributor
‎2020-04-02 12:49 AM

Sravan Kumar Koneti‌ As per the document you have shared is fine and we tested step 1 procedure. When we tried to export logs in CSV format it is not exporting instead i am getting below out put in browser. Kindly help us to download logs from archiver in CSV format.

 

Action:-

ArcRest.PNG

 

Output:-

Archiver Rest.PNG

0 Likes
Reply
sravan.koneti
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to DevarajMohan1
‎2020-04-02 02:36 AM

Devaraj Mohan‌,

The tab contents are acutal csv format logs. you can right click and save as .csv file. The columns for csv are timestamp,source,forwarder,lccid,log. The log coulmn is actual raw log.

 

Also, when you use GUI or REST 1 GB is limit. Going for 3rd method gives unlimited logs.

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.