AnsweredAssumed Answered

Can NwConsole use tlogin for sdk commands?

Question asked by Richard van den Berg on Oct 26, 2020

We are rolling out the new NwConsole fileHash feature across our packet sensors. For other scripts we used tlogin so we don't have to store a password in the script or config file. This does not seem to work for sdk commands.

My first try:

 

# NwConsole
RSA NetWitness NextGen Console 11.5.0.1
Copyright 2001-2020, RSA Security Inc.  All Rights Reserved.

Type "help" for a list of commands or "man" for a list of manual pages.
> tlogin server=localhost port=56005 username=admin group=Administrators cert=/etc/pki/nw/node/node-cert.pem key=/etc/pki/nw/node/node-key.pem
Successfully logged in to localhost:56005 as session 40759260
[localhost:56005] /> sdk content session=now-u where="filename exists" maxDirSize=20mb fileHash=md5,sha1,sha256 linkMeta=sessionid,time,did,uuid deviceType=filehash logDecoder="10.1.2.3:514" session
Persist=/var/netwitness/NwConsole-filehash.persist render=111
Collection not open

 

Ok, so the sdk collection needs to be opened first. However:

 

[localhost:56005] /> sdk open
Usage: sdk open {RSA NetWitness NextGen URL}
    RSA NetWitness NextGen URL is in the form nw://username:password@server:port
    For SSL connections, use the protocol nws

 

"sdk open" seems to require a username/password. Let's try to use it with "cd /sdk":

 

[localhost:56005] /> cd /sdk
[localhost:56005] /sdk
[localhost:56005] /sdk> content session=now-u where="filename exists" maxDirSize=20mb fileHash=md5,sha1,sha256 linkMeta=sessionid,time,did,uuid deviceType=filehash logDecoder="10.1.2.3:514"
sessionPersist=/var/netwitness/NwConsole-filehash.persist render=111
Parameter session: Value 'now-u' is not a valid unsigned integer

 

When fixing that session error (by giving an integer) I get:

 

Unrecognized parameter 'render'. Did you mean 'renderType'?

 

Is there any way around this?

Outcomes