I'm looking to generate report for all reporting & non-reporting event sources from SA V10.4. Anyone knows how to do that?.
Thanks!!
I'm looking to generate report for all reporting & non-reporting event sources from SA V10.4. Anyone knows how to do that?.
Thanks!!
I am not entirely sure that this is possible given that the reporting engine is not "aware of its surroundings". Event sources are not, by default, reporting when they stop sending events, and SA does not know the difference between an event source that has stopped, and one that is just not as chatty (maybe hours between logs) as others. Maybe a feature to be requested in future updates? For now though, you can check Log Decoder -> Stats -> Log Stats (tab) and see when the last time a log was seen from each event source...
I have pondered this same question myself when asked for this from customers. I may be wrong, but from my experience, I just dont think this is a feature yet.
There is an ESA rule but it is slightly annoying because you also need the full list of IPs that you are expecting logs from which can get cumbersome to update.
Hi Sean,
Can you point out the ESA rle you have mentioned. That may solve my problem, i have in my environment.
First of all, Thanks Adam/Sean for your response!!
I would like to put my requirement on different way.
I believe we have 2 options to get Event Source reporting statistics:
How can I download those statistics data as report & share with customer on PDF/CSV format?..
You can generate a report based on the IPs (use lists) of the devices. from a certain period of time, if you have any event it will report it
you can even use lookup and add function for each device and look it further.
Thanks Linuts for the response!!
We are setting up SA newly & we don''t know the Event Source IP's so I can't input IP's via list.I'm completely depends on SA to know what is really reporting.
SA (i believe even in 10.4) didn't have this option..other option you can do is rest api query the deocders to know what last reported date and time. But again it will only show what is has seen vs what is configured to collect logs...assest database feature is missing in SA
If your environment have good CMDB, you can get the source of truth from there and compare with SA reporting data
Thanks!!
We have more than 20000 devices reporting so I'm not sure how I can compare with my CMDB data without extracting reporting event sources from SA in CSV file.
Hi Ravick,
Maybe the below NwConsole command could help you out? You could pipe this to a file and then perform post-processing in excel. This below command will Show all devices and their source IP and count of logs, and last time log seen.
NwConsole -c login localhost:50002 <username> <password> -c decoder logStats |grep -e device | awk -F " " '{print $2","$4","$5","$6}' |sed 's/device=//;s/source=//;s/count=//;s/time="//'
The output looks like the below:
bigip,192.168.183.12,2250,2014-Dec-18
bigip,192.168.183.136,164,2014-Dec-18
bluecoatdirector,192.168.183.12,1,2014-Dec-16
bluecoatdirector,192.168.183.136,1,2014-Dec-17
checkpointfw1,::1,64,2014-Dec-18
ciscorouter,192.168.183.12,176,2014-Dec-18
crossbeamc,192.168.183.12,2323,2014-Dec-09
crossbeamc,192.168.183.136,2688,2014-Dec-18
fortinet,::1,414,2014-Dec-18
rhlinux,192.168.183.12,14333,2014-Dec-18
rhlinux,192.168.183.136,768,2014-Dec-18
rhlinux,source,309,1970-Jan-01
tippingpoint,192.168.183.12,176918,2014-Dec-18
tippingpoint,192.168.183.136,184,2014-Dec-18
unknown,192.168.183.12,99852,2014-Dec-18
unknown,192.168.183.131,205,2014-Nov-25
unknown,source,194415,1970-Jan-01
winevent_nic,192.168.183.131,262,2014-Nov-25
Thanks LeeKirkpatrick!!
This is what exactly I'm looking for..Could you please explain NW console?..Where I should run this command to get this result?..RSA SA or Broker or Decoder or Log Collector?.
Hope it includes all Log Sources.
Hey Ravick,
No problem.
NwConsole is available on all appliances and it allows you to interact with the various NetWitness services (Log Collector, Log Decoder, Broker, etc). Using NwConsole allows you to change settings, invoke commands, etc.
So in this case, as the statistics we are interested in are on the Log Decoder, we are going to run the NwConsole command via SSH on the Log Decoder itself. We are then just piping it through AWK and SED to massage the output to CSV for your post-processing.
This command would show all log sources that have ever sent a log to the Log Decoder (unless someone has deleted the stats).
I'm getting the below error while login to decoder using NwConsole command.
"Server did not return our connection id. Possible cause: SSL may be enabled."
Do you know how can I access with SSL?.
When using SSL you must use the following syntax:
NwConsole -c login localhost:50002:ssl
I saw that syntax in help so I tried it but it's exiting with Invalid Username & Password error.
I'm getting the other error when I'm not using "ssl" syntax.
If you receive the username and password error you will need to change the username and password, in the command I gave you I did not supply them as they would be different on your appliances to mine:
NwConsole -c login localhost:50002:ssl <user> <password>
I'm not that much dump!!..I executed that command with user "admin" & it's password. I also tried with username "root" but same error. Is there any special username to execute NwConsole?.
I think If there is no special user to use then it's a issue with command syntax. Please correct me if I'm wrong.
Forgot to mention, we are using a different port number i.e. 56002. too.
It will be the user you used to add the appliances in the GUI. This is normally "admin" unless otherwise specified.
If using the port number 56002 as this is the new native SSL port, you must add the SSL option.
I would appreciate if you can provide your contact number to reach you or you can call me on 1-703-554-4493 since I'm not getting any update from RSA professional team also on this issue. Thanks!!
I am not free for a call at the moment. Syntax is exactly correct, you just have the wrong password.
Can you try the username: admin and password: netwitness
You got it. It works..Is it uses the default admin password?..
I have another issue with event source monitoring.
We were initially forwarding logs via z connector from enVision to SA. Now I have migrated majority of appliances to SA directly. However in "Event Source Monitoring" tab, the device IP appears twice with Log collector ip of enVision and decoder. So when i tried to configure alerts for devices not sending logs, alert is getting generated for entry with log collector IP as enVision.
Is it possible to configure event source monitoring alerts excluding old entries or can we filter the alerting based on log collector IP?
Also is it possible to remove old entries from Event Source Monitoring tab
you can exclude the event sources that has forward.ip meta. Those event sources are sent via zconnector
Hi Ravick,
Maybe the below NwConsole command could help you out? You could pipe this to a file and then perform post-processing in excel. This below command will Show all devices and their source IP and count of logs, and last time log seen.
NwConsole -c login localhost:50002 <username> <password> -c decoder logStats |grep -e device | awk -F " " '{print $2","$4","$5","$6}' |sed 's/device=//;s/source=//;s/count=//;s/time="//'
The output looks like the below:
bigip,192.168.183.12,2250,2014-Dec-18
bigip,192.168.183.136,164,2014-Dec-18
bluecoatdirector,192.168.183.12,1,2014-Dec-16
bluecoatdirector,192.168.183.136,1,2014-Dec-17
checkpointfw1,::1,64,2014-Dec-18
ciscorouter,192.168.183.12,176,2014-Dec-18
crossbeamc,192.168.183.12,2323,2014-Dec-09
crossbeamc,192.168.183.136,2688,2014-Dec-18
fortinet,::1,414,2014-Dec-18
rhlinux,192.168.183.12,14333,2014-Dec-18
rhlinux,192.168.183.136,768,2014-Dec-18
rhlinux,source,309,1970-Jan-01
tippingpoint,192.168.183.12,176918,2014-Dec-18
tippingpoint,192.168.183.136,184,2014-Dec-18
unknown,192.168.183.12,99852,2014-Dec-18
unknown,192.168.183.131,205,2014-Nov-25
unknown,source,194415,1970-Jan-01
winevent_nic,192.168.183.131,262,2014-Nov-25