There have been a few blogs recently (https://community.rsa.com/community/products/netwitness/blog/2018/08/29/gathering-stats-with-salt-biosidracperc-edition; https://community.rsa.com/community/products/netwitness/blog/2019/01/21/netwitness-storage-retention) that leverage a new functionality in v11.x for querying data directly from RSA NetWitness hosts through the command line.
This functionality - SaltStack - is baked into v11.x (Chef pun ftw!) and enables PKI-based authentication between the salt master (AKA admin server; AKA node0) and any salt minion (everything that's not the salt master, plus itself).
During a recent POC, one of the customer's use cases was to gather, report, and alert against certain host information within the RSA NetWitness environment - kernel, firmware, BIOS, OS, and iDRAC versions, storage utilization (%), and some others.
In order for NetWitness to report and alert on this information, we needed to take these details about the physical hosts and feed it into the platform so that we could use the resulting meta. Thankfully, others before me did all the hard work figuring out the commands to run against hosts to extract this information, so all I had to do was massage the results into a format that could be fed into NetWitness as a log event, and write a parser for it.
The scripts, parser, and custom index entries are attached to this blog. All the scripts are intended to be run from your 11.x Admin Server. If you do choose to use these or modify them for your environment/requirements, be sure to change the IP address for the log replay command within the scripts
NwLogPlayer -r 3 -f $logEvent -s 192.168.10.14 -p 514
...to the IP of a Log Decoder in your environment.
A custom meta and custom column group are also attached.
