NetWitness Community

UPDATED 2-1-2017 to Version 0.4

Changelog: 

1-20-2017 (0.2) : Added capability to auto-populate all appliance IP addresses. Substitute "autoiplist" rather than

user defined iplist. See help for more information. Also fixed help file (previous typo). Removed prompts.

1-27-2017 (0.3): Added a number of SDK checks. Changed the logic on how it identifies the server type, added a size check for VolGroup00. If it shows up as 29.XX GB and your appliance is an R620, you're likely still utilizing the SD cards as part of the OS. Also added a check showing currently free memory. 

2-1-2017 (0.4): Added DRAC Firmware version check

I've worked with dozens of Security Analytics instances and have found myself repeatedly compiling the same information, usually relating to basic asset inventory, configuration information and simple health checks. In order to expedite this process, I've created a simple shell script that will log into each appliance in an environment, pull important information and aggregate it all into a csv file for easy reference. The nice thing about this script is that it obtains many of the important configuration items without needing to log into REST or perform NwConsole commands.

Prerequisites:

• List of IP addresses or Hostnames of all SA Appliances (virtual or physical) - List needs to be one IP/Host per line. This step can now be skipped by using the "autoiplist" option (see below)
• Key exchange between Host where script is installed and SA Appliances - This is optional, but will make things go much faster. If this hasn't been setup, you'll just be prompted for the Host OS username (usually root) for each appliance the script is connecting to
  • For more information on how to set this up, see the following links:
    • https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
    • How To Setup SSH Keys on a Linux / Unix System
• A Linux host to run the script from that can connect to all the SA appliances defined in the IP List (I frequently use the SA Server Host)

Installation Instructions:

1. Copy the attached SA_Enviro_Check.sh script to your host
2. Make it executable
   1. chmod +x SA_Enviro_Check.sh
3. Ensure the md5sum matches the following:
   

   [root@NW-GUI new]# md5sum SA_Enviro_Check.sh

   1853be56f44cc6f6f223be48367058ab  SA_Enviro_Check.sh

Usage:

./SA_Enviro_Check.sh <options>

This Script is used to generate a comma-delimited inventory of a Security Analytics  Environment while  also

compiling several important configuration items per appliance.

IMPORTANT: This script functions best when key exchange has been performed between the SA Server and the

           Appliances. If not, it will prompt for a password for each appliance in the IP List

Options:

        -h : This help file

        -v : version information

        -a : Generates a list of all currently enabled appliance IPs and quits. File will be named "all_appliance_ips.out" 

        -p : when this option is used, all arguments must be passed in the proper order. if the user chooses "autoiplist"                  rather than defining a set list of ips (see EX2), all appliances connected to the NW GUI will be examined.  The                arguments must be passed in the following order:

                EX: ./SA_Enviro_Check.sh -p <username> <iplist>  </output/path/filename.csv> </output/path/logfile.log>

                EX2: ./SA_Enviro_Check.sh -p <username> autoiplist  </output/path/filename.csv> </output/path/logfile.log>

What the script gathers and where it comes from:

Index Slices Open            /etc/netwitness/ng/Nw*.cfg files

Notes:

• The script has not been tested against Malware Appliances, does not work with WLCs (Windows Based) and will retrieve less information from ESAs due to their architecture differences.
• This script is beta, if you notice some information does not look correct, please let me know.