AnsweredAssumed Answered

How to upload custom logs to RSA NetWitness using the RESTful API if the decoder runs live capture?

Question asked by Guillaume Hana on Mar 4, 2019

Like • Show 0 Likes0
Comment • 2

Hello, I have custom logs that I would like to upload to rsa netwitness via the RESTful API. get the address and the port of my decoder but I have the following error message:" 400 Bad Request: Packet import can not execute while live capture is running". Actually in the documentation: RESTful API User Guide for RSA NetWitness® Platform 11.x

it is well indicated on page 10 that: "Note: The DECODER cannot be competitively importing or capturing, or an error results."

How we can do ? Is it then necessary to dedicate a decoder to the reception of logs uploaded via API-REST ?

Best regards

Eric Partington

Mar 4, 2019 2:14 PM

Correct Answer

If you are uploading logs you can use nwlogplayer binary to replay logs to the capture interface of the LD without needing to stop capture

I use the process to script uploading of logs via nwlogplayer (yum install nwlogplayer)

NwLogPlayer.exe -s 192.168.254.115 -r 3 -f "C:\Demo Tools\Logs\UC2_Spamhost_LOGS.log"

If you are uploading via the sdk you must stop capture before uploading. I wrote this script to help me with the process (stop capture, upload file, start capture).

@echo off 
REM V2 of script to stop and start capture for capture
setlocal enableDelayedExpansion 
set MYDIR=C:\Users\windows_user1\Desktop\pcap
set CURL_LOC=c:\Users\windows_user1\Desktop\
REM start capture
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=stop -d 'force-content-type=text/plain'
echo +======= Waiting for capture to stop =======+
REM pause to wait for capture to stop
TIMEOUT /T 15
for /F %%x in ('dir /B/D %MYDIR%') do ( 
 set FILENAME=%MYDIR%\%%x 
 echo +======= Uploading !FILENAME! to Decoder =======+ 
 REM c:\Users\windows_user1\Desktop\curl.exe -u admin:netwitness -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
 %CURL_LOC%\curl.exe -u admin:password -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
)
REM wait for pcap to finish
TIMEOUT /T 10
REM start capture
echo +======= Start capture =======+
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=start -d 'force-content-type=text/plain'

See the reply in context

No one else had this question

Outcomes

@echo off REM V2 of script to stop and start capture for capture setlocal enableDelayedExpansion set MYDIR=C:\Users\windows_user1\Desktop\pcap set CURL_LOC=c:\Users\windows_user1\Desktop\ REM start capture %CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=stop -d 'force-content-type=text/plain' echo +======= Waiting for capture to stop =======+ REM pause to wait for capture to stop TIMEOUT /T 15 for /F %%x in ('dir /B/D %MYDIR%') do ( set FILENAME=%MYDIR%\%%x echo +======= Uploading !FILENAME! to Decoder =======+ REM c:\Users\windows_user1\Desktop\curl.exe -u admin:netwitness -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import %CURL_LOC%\curl.exe -u admin:password -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import ) REM wait for pcap to finish TIMEOUT /T 10 REM start capture echo +======= Start capture =======+ %CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=start -d 'force-content-type=text/plain'

How to upload custom logs to RSA NetWitness using the RESTful API if the decoder runs live capture?

Outcomes

Related Content

Recommended Content