NetWitness Community

Anonymous · ‎2019-03-11

In line with some of my other integrations, I recently decided to also create a proof-of-concept solution on how to integrate RSA NetWitness meta data into an ELK stack.

Given that I already had a couple of Python scripts to extract NetWitness meta via the REST API, I quickly converted one of them to generate output in an ELK-friendly format (JSON).

Setting up an ELK instance is outside the scope of this post, so with that done all I needed was a couple of configuration files and settings.

Step #1 - Define my index mapping template with the help of curl and the attached mappings.json file.

curl -XPUT http://localhost:9200/_template/netwitness_template -d @mappings.json‍‍‍‍‍‍‍‍‍

NOTE: The mappings file may require further customization for additional meta keys you may have in your environment.

Step #2 - Define my Logstash configuration settings.

# Sample Logstash configuration 
# Netwitness -> Logstash -> Elasticsearch pipeline.

input {
  exec {
    command => "/usr/bin/python2.7 /usr/share/logstash/modules/nwsdk_json.py -c https://sa:50103 -k '*' -w 'service exists' -f /var/tmp/nw.track "
    interval => 5
    type => 'netwitness'
    codec => 'json_lines'
  }
}

filter {
   mutate {
      remove_field => ["command"]
   }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "netwitness-%{+YYYY.MM.dd}"
  }
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Again a level of ELK knowledge will be required that is outside the scope of this post. However, on the command section a few settings may require additional clarification, the Python code has them documented but for ease of reference, I'm listing them below:

The REST endpoint from where to collect the data
The list of meta keys to retrieve (in the example below '*' refers to all available meta keys)
The SDK query that references the sessions that should be retrieved (in the example below, collect all "packet sessions" meta data)
A tracker file location so only new data is retrieved by each execution on the input command. (i.e. continue from last data previously retrieved)

-c https://sa:50103 
-k '*' 
-w 'service exists' 
-f /var/tmp/nw.track ‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

There will be additional configuration settings and steps required in ELK, once again, there's plenty of information available on this already as the open source solution that ELK is, so I won't go into that. I'm by no means an expert on ELK.

Finally, all that is left to show you is how the data looks. First, some of my Dynamic DNS events.

Below the details of one of those events.

As a proof-of-concept all these details and scripts are provided as-is without any implied support or warranty. I'm not really that experienced in ELK as so I'm sure that someone can probably improve on this significantly, if you do feel free to share your experiences below in the comments section.

Thank you,

Rui

CristianoAlves · ‎2019-03-12

Very good.

Is need change anything in SA server ?

Anonymous · ‎2019-03-12

Thank you! Nothing just make sure the REST port is accessible and you have the right credentials.

CristianoAlves · ‎2019-03-12

Nice nice nice .... it's working.
I did build in my lab, very good and thanks for this POC.

CristianoAlves · ‎2019-07-31

Hi, man!! I'm build this project in environment for production in version 11.3 Netwitness. I have one problem. When start logstash, it get same events, and stop for nothing.

this is my strace output:

recvfrom(3, "54\r\n{\n \"error\" : \"400 Bad Req"..., 8192, 0, NULL, NULL) = 90
brk(NULL) = 0x12fd000
brk(NULL) = 0x12fd000
brk(0x1118000) = 0x1118000
brk(NULL) = 0x1118000

I not understand this "400 Bad Req"

Can you help-me

Anonymous · ‎2019-07-31

Hi,

I'm not sure I can help but it seems like the 400 Bad Request error maybe coming from Elastic when Logstash tries to insert the events. On an unrelated project, I'm having similar issues with Elastic related to automatically generated mappings for ES 7.x.

The script should output detailed errors to STDERR but not sure where those will end up. Is the POC stuff still working fine?

Hope this helps!

Cheers,

Rui

CristianoAlves · ‎2019-07-31

Yes, POC still working fine ... i'm build a new project with ES 6.8, but i need understand this problem.

Anonymous · ‎2019-07-31

I suspect it's probably related to ES changes, that seems very similar to the issues I'm getting with ES on the other project, I get 400 errors based on mapping that was automatically learned wrong by ES. It thinks it's a number when it's supposed to be a text field another case were dates not matching an ES expected format so I had to convert them to text.

Have a look at the mappings auto-generated by ES.

CristianoAlves · ‎2019-11-14

Hey Rui!!!

It took me a long time but I came back. I stoped the project.

Can you help me how you convert them to text ?

Anonymous · ‎2019-11-14

Hi Cristiano,

Can you see if you can find the entire error message?

Again, I know that Elastic changed again in terms of ES 7 and the template is no longer valid for it. I've attached a sample to the main post, however, the problem may still exist if you have additional keys that are not being mapped correctly.

Here's what I think it's happening.

Say that for some reason you have key named my_alert and that the contents of that key are mixed numbers like "20191114" and "bad domain" or even an IP address like "1.2.3.4" when ES first sees that key it could automatically map it to an "integer" type as the "20191114" was the first value it saw, or it could automatically map it to an "ip" type because it was "1.2.3.4", instead of "text" type which would fit all the possible types above. So when one of the other typed values shows up, say "bad domain" ES tries to map it to an "ip" or "integer" type which fails and that error is thrown.

The only way, I can think of to fix this is to make sure the original mappings cover all your keys and sets them to the correct format, you can obtain that from NW itself with an SDK-Language call, as seen below. The key names all have the "."(dot) replaced with an "_"(underscore).

My list is a lot larger the above version is just an example.

I hope this helps!

Regards,

Rui

Anonymous · ‎2019-11-14

Hi Cristiano,

Try using this to build your mappings, it may help:

import requests
import json
types = { 32  : '{ "type" : "date", "format" : "epoch_second"  }',
          8   : '{ "type" : "long" }',
          6   : '{ "type" : "long" }',
          5   : '{ "type" : "long" }',
          4   : '{ "type" : "integer" }',
          2   : '{ "type" : "integer" }',
          10  : '{ "type" : "float" }',
          130 : '{ "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }',
          128 : '{ "type" : "ip" }',
          129 : '{ "type" : "ip" }',
          65  : '{ "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }'
        }
r = requests.get('https://<nwbrokerip>:50103/sdk?msg=language&size=1000&force-content-type=application/json',auth=('<username>','<password>'),verify=False)
j = json.loads(r.text)
print '''
{
  "index_patterns" : [ "netwitness*" ],
  "version" : 70001,
  "settings" : { "index.refresh_interval" : "5s" },
  "mappings" : {
     "_source": { "enabled": false},
      "properties" : {
          "@timestamp" : { "type" : "date" },
          "@version" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } },
'''
for k in j['results']['fields']:
   print '\t"'+k['type'].replace('.','_')+'" : '+types[k['format']]+','

print '''
     }
   }
}
'''
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

You need to replace <nwbrokerip>, <username> and <password> on the requests.get line above and once the output is produced you will also need to remove the last comma as I just wrote this quickly, sorry!

Hope this helps!

Cheers,

Rui

CristianoAlves · ‎2019-11-19

Hi man.
I did follow your tips and change template with you input sample, but don't work well.

Anonymous · ‎2019-11-19

Hi Cristiano,

Found the issue the type needs to be keyword not text... Sorry! I've gotten really disappointed with Elastic and all its constant changes so I lost some interest in it. I guess it's the price you pay for "free" technologies, you have to accept all these changes.

import requests
import json
types = { 32  : '{ "type" : "date", "format" : "epoch_second"  }',
          8   : '{ "type" : "long" }',
          6   : '{ "type" : "long" }',
          5   : '{ "type" : "long" }',
          4   : '{ "type" : "integer" }',
          2   : '{ "type" : "integer" }',
          10  : '{ "type" : "float" }',
          130 : '{ "type" : "keyword" }',
          128 : '{ "type" : "ip" }',
          129 : '{ "type" : "ip" }',
          65  : '{ "type" : "keyword" }'
        }
r = requests.get('https://<nwbrokerip>:50103/sdk?msg=language&size=1000&force-content-type=application/json',auth=('<username>','<password>'),verify=False)
j = json.loads(r.text)
print '''
{
  "index_patterns" : [ "netwitness*" ],
  "version" : 70001,
  "settings" : { "index.refresh_interval" : "5s" },
  "mappings" : {
      "properties" : {
          "@timestamp" : { "type" : "date" },
          "@version" : { "type" : "keyword" },
'''
for k in j['results']['fields']:
   print '\t"'+k['type'].replace('.','_')+'" : '+types[k['format']]+','

print '''
     }
   }
}
'''‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

NetWitness Community

RSA NetWitness Packet Meta in ELK