AnsweredAssumed Answered

How to upload custom logs to RSA NetWitness using the RESTful API if the decoder runs live capture?

Question asked by Guillaume Hana on Mar 4, 2019
Latest reply on Mar 6, 2019 by Guillaume Hana

Like • Show 0 Likes0
Comment • 2

Hello, I have custom logs that I would like to upload to rsa netwitness via the RESTful API. get the address and the port of my decoder but I have the following error message:" 400 Bad Request: Packet import can not execute while live capture is running". Actually in the documentation: RESTful API User Guide for RSA NetWitness® Platform 11.x

it is well indicated on page 10 that: "Note: The DECODER cannot be competitively importing or capturing, or an error results."

How we can do ? Is it then necessary to dedicate a decoder to the reception of logs uploaded via API-REST ?

Best regards

Eric Partington

Mar 4, 2019 2:14 PM

Correct Answer

If you are uploading logs you can use nwlogplayer binary to replay logs to the capture interface of the LD without needing to stop capture

I use the process to script uploading of logs via nwlogplayer (yum install nwlogplayer)

NwLogPlayer.exe -s 192.168.254.115 -r 3 -f "C:\Demo Tools\Logs\UC2_Spamhost_LOGS.log"

If you are uploading via the sdk you must stop capture before uploading. I wrote this script to help me with the process (stop capture, upload file, start capture).

@echo off 
REM V2 of script to stop and start capture for capture
setlocal enableDelayedExpansion 
set MYDIR=C:\Users\windows_user1\Desktop\pcap
set CURL_LOC=c:\Users\windows_user1\Desktop\
REM start capture
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=stop -d 'force-content-type=text/plain'
echo +======= Waiting for capture to stop =======+
REM pause to wait for capture to stop
TIMEOUT /T 15
for /F %%x in ('dir /B/D %MYDIR%') do ( 
 set FILENAME=%MYDIR%\%%x 
 echo +======= Uploading !FILENAME! to Decoder =======+ 
 REM c:\Users\windows_user1\Desktop\curl.exe -u admin:netwitness -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
 %CURL_LOC%\curl.exe -u admin:password -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
)
REM wait for pcap to finish
TIMEOUT /T 10
REM start capture
echo +======= Start capture =======+
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=start -d 'force-content-type=text/plain'

See the reply in context

No one else had this question

Outcomes

@echo off REM V2 of script to stop and start capture for capture setlocal enableDelayedExpansion set MYDIR=C:\Users\windows_user1\Desktop\pcap set CURL_LOC=c:\Users\windows_user1\Desktop\ REM start capture %CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=stop -d 'force-content-type=text/plain' echo +======= Waiting for capture to stop =======+ REM pause to wait for capture to stop TIMEOUT /T 15 for /F %%x in ('dir /B/D %MYDIR%') do ( set FILENAME=%MYDIR%\%%x echo +======= Uploading !FILENAME! to Decoder =======+ REM c:\Users\windows_user1\Desktop\curl.exe -u admin:netwitness -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import %CURL_LOC%\curl.exe -u admin:password -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import ) REM wait for pcap to finish TIMEOUT /T 10 REM start capture echo +======= Start capture =======+ %CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=start -d 'force-content-type=text/plain'

How to upload custom logs to RSA NetWitness using the RESTful API if the decoder runs live capture?

Outcomes

Related Content

Recommended Content