Bulk Data Export From RSA Netwitness Archiver
Currently we using RSA Netwitness 18.104.22.168 in our organization. So we have archiver which is deployed for log retention. At present we having 5 months of log data stored in archiver. We have the below requirement.
1) Management is asking 3 months of log data from archiver in human readable format lets say in .log or .csv format. Kindly suggest us on this. We haven't configured any aggregation polices on archiver for data collection. By default all the log data s are get aggregated.
2) If log data export is not possible what is the mechanism to read the archiver data ? Is there any component we need to deploy for reading archiver data ?
Looking forward for response.
Counsultant (Cognitive SOC)
Inspirisys Solutions Limited, India.
- Community Thread
- Forum Thread
- rsa netwitness archiver
- RSA NetWitness Endpoint
- RSA NetWitness Platform
probably the best way is to use Reports.
If you extract raw data from the archiver, you will have the logs as they are produced by the log sources. I don't think that the managment is interested in those data.
Quite the opposite with reports where (for example) you can choose the data sources (device.type) and include some useful meta.key (user.dst or ip.src) as long as the log itself (msg)
The output could be pdf or csv. It depends on the ampount of data but you can use Excel for some csv.
If you really really really need to extract all the raw logs, I had a similar need in the past and I successfully used the sdk command from the archiver nwconsole. It is the third method mentioned by Sravan and that guide explains it very well.
I hope I've been of some help.
Sravan Kumar Koneti As per the document you have shared is fine and we tested step 1 procedure. When we tried to export logs in CSV format it is not exporting instead i am getting below out put in browser. Kindly help us to download logs from archiver in CSV format.
The tab contents are acutal csv format logs. you can right click and save as .csv file. The columns for csv are timestamp,source,forwarder,lccid,log. The log coulmn is actual raw log.
Also, when you use GUI or REST 1 GB is limit. Going for 3rd method gives unlimited logs.