AnsweredAssumed Answered

Bulk Data Export From RSA Netwitness Archiver

Question asked by Devaraj Mohan on Mar 24, 2020
Latest reply on Apr 2, 2020 by Sravan Kumar Koneti

Like • Show 0 Likes0
Comment • 4

Hi Team,

Currently we using RSA Netwitness 11.3.1.1 in our organization. So we have archiver which is deployed for log retention. At present we having 5 months of log data stored in archiver. We have the below requirement.

1) Management is asking 3 months of log data from archiver in human readable format lets say in .log or .csv format. Kindly suggest us on this. We haven't configured any aggregation polices on archiver for data collection. By default all the log data s are get aggregated.

2) If log data export is not possible what is the mechanism to read the archiver data ? Is there any component we need to deploy for reading archiver data ?

Looking forward for response.

Regards,

Devaraj

Counsultant (Cognitive SOC)

Inspirisys Solutions Limited, India.

No one else has this question

Outcomes

Sravan Kumar Koneti

Mar 27, 2020 1:36 AM

Devaraj Mohan,

Try https://community.rsa.com/docs/DOC-45813 by replacing the archiver details and port 50008

Actions

Marco Demonte Mar 31, 2020 11:35 AM

Hello Devaraj,

probably the best way is to use Reports.

If you extract raw data from the archiver, you will have the logs as they are produced by the log sources. I don't think that the managment is interested in those data.

Quite the opposite with reports where (for example) you can choose the data sources (device.type) and include some useful meta.key (user.dst or ip.src) as long as the log itself (msg)

The output could be pdf or csv. It depends on the ampount of data but you can use Excel for some csv.

If you really really really need to extract all the raw logs, I had a similar need in the past and I successfully used the sdk command from the archiver nwconsole. It is the third method mentioned by Sravan and that guide explains it very well.

I hope I've been of some help.

kind regards

Marco

Actions

Devaraj Mohan Apr 2, 2020 12:49 AM

Sravan Kumar Koneti As per the document you have shared is fine and we tested step 1 procedure. When we tried to export logs in CSV format it is not exporting instead i am getting below out put in browser. Kindly help us to download logs from archiver in CSV format.

Action:-

Output:-

Actions

Sravan Kumar Koneti

@ Devaraj Mohan on Apr 2, 2020 2:36 AM

Devaraj Mohan,

The tab contents are acutal csv format logs. you can right click and save as .csv file. The columns for csv are timestamp,source,forwarder,lccid,log. The log coulmn is actual raw log.

Also, when you use GUI or REST 1 GB is limit. Going for 3rd method gives unlimited logs.

Actions

4 Replies

Sravan Kumar Koneti Mar 27, 2020 1:36 AM
Mark Correct
Correct Answer
Devaraj Mohan,

Try https://community.rsa.com/docs/DOC-45813 by replacing the archiver details and port 50008
Like • Show 0 Likes0
Actions
Marco Demonte Mar 31, 2020 11:35 AM
Mark Correct
Correct Answer
Hello Devaraj,

probably the best way is to use Reports.
If you extract raw data from the archiver, you will have the logs as they are produced by the log sources. I don't think that the managment is interested in those data.
Quite the opposite with reports where (for example) you can choose the data sources (device.type) and include some useful meta.key (user.dst or ip.src) as long as the log itself (msg)
The output could be pdf or csv. It depends on the ampount of data but you can use Excel for some csv.

If you really really really need to extract all the raw logs, I had a similar need in the past and I successfully used the sdk command from the archiver nwconsole. It is the third method mentioned by Sravan and that guide explains it very well.
I hope I've been of some help.

kind regards
Marco
Like • Show 0 Likes0
Actions
Devaraj Mohan Apr 2, 2020 12:49 AM
Mark Correct
Correct Answer
Sravan Kumar Koneti As per the document you have shared is fine and we tested step 1 procedure. When we tried to export logs in CSV format it is not exporting instead i am getting below out put in browser. Kindly help us to download logs from archiver in CSV format.

Action:-

Output:-
Like • Show 0 Likes0
Actions
- Sravan Kumar Koneti @ Devaraj Mohan on Apr 2, 2020 2:36 AM
  Mark Correct
  Correct Answer
  Devaraj Mohan,
  The tab contents are acutal csv format logs. you can right click and save as .csv file. The columns for csv are timestamp,source,forwarder,lccid,log. The log coulmn is actual raw log.
  
  Also, when you use GUI or REST 1 GB is limit. Going for 3rd method gives unlimited logs.
  Like • Show 0 Likes0
  Actions

Bulk Data Export From RSA Netwitness Archiver

Outcomes

Related Content

Recommended Content