This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Configure Workbench

Go to solution
Anonymous
Not applicable

‎2015-09-14 02:48 AM

Hello Everyone,

 

Is there anyone who is working with Archvier with it's reporting feature, like I have two Archiver each at a seperate site along with the service of Workbench with both the Archivers.

 

Yesterday I had gone through some of the documents available on sadocs on how to run a report in Archiver with the Workbench feature, but the problem what I noticed is that, I have a no idea what to set in the collections in the workbench config's. Below is the screenshot attached.

workbench.png

 

Now because of the collections option is blank, now the I am not able to add the workbench in reporting engine to run the reports on old data.

Kindly suggest if any one have any idea regarding to this.


Thanks.



Regards,

Deepanshu Sood.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
KEVINDIENST
Beginner
Beginner

‎2015-10-14 05:04 PM

FYI - I've had to do some of this work and here is what you need to do.

 

First of all the Workbench is designed to bring data BACK from say NAS or cold storage after it is rolled off the archiver. Say you have 1 year retention on archivers and configure the cold storage off to NAS then if you need to report on that older data you have to use the workbench and you'll need either space on your DAC's or scratch space connected to the archiver to reprocess/decompress the log data.

 

Second, the archiver aggregates off the log decoders. When you add the log decoder service to the archiver by default it collects around 40 meta keys. If you want to add custom meta keys then you need to add the service (don't start aggregation and don't enable autostart of aggregation). Make sure that status of the log decoder under Archiver aggregation is offline and then go to Explore interface of the Archiver service. Under Archiver > Devices > Log Decoder IP > Config in the left hand pane will be a options field, make sure you add any custom meta at the end of the metaInclude= value

Example:

metaInclude=action,alert,custom1,custom2

 

It should save automatically and then go back to Archiver config screen and toggle service to turn it on. Then start aggregation and re-enable autoaggregate capture.

 

Third, you should have the index-archiver-custom.xml file updated to reflect these new keys for each archiver you plan to have aggregating these custom fields.

 

Hope that helps.

View solution in original post

5 REPLIES 5

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-09-14 11:24 AM

Hi Deepanshu,

The screenshot you attached to your post appears to be the dialog for creating an empty workbench collection.  The collection name (the box outlined in red) is just the name of the collection; typically some short string that will help you identify what data is going to be put in there.

 

There's another workflow described for creating a collection for backed up or restored data, which has more parameters for you to enter.

 

I found a couple of links in the 10.5 customer docs that might be of use?

Step 2: Create Collection - RSA Security Analytics Documentation

Manage Collections - RSA Security Analytics Documentation

 

Alan

0 Likes

Go to solution
Anonymous
Not applicable
In response to RSAAdmin

‎2015-09-15 08:53 AM

Hi Alan,

 

Thanks for your response.

I understand your point as well, would you suggest is there any way to know that what meta keys archiver contains.

I am aksing this because in our SA we have almost 50+ custom meta keys (few reports contains those custom meta keys), so do I need to replicate the same on the Archiver to run the reports?

 

And also I want to know in the Archiver > Config > General > Aggregate Service, which service should be added here, I believe that we need to add the Log Concentrator here but if I click on the + button to add the services it only shows me the Log Decoder services, but why here the Log Decoder will be added?

 

But if I add the Log Decoder service here it shows me some meta included in it, pls refer to the attached screenshot for the same.

 

Do you have any idea?

archiver.png

 

Deepanshu Sood.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-09-22 02:54 PM

The language SDK call on Archiver should tell you the meta keys it knows about. 

 

I _believe_ you need to add the custom meta keys to Archiver to run reports, but I'm not 100% sure.  You could try and see.  In any case, if you added custom meta keys to your log decoders via their custom index XML files, you can also do something similar with Archiver if need be.  All services support custom index files.  The details should be available in the Security Analytics Documentation (available online).

 

The Aggregate Services area should be filled in (I would think) with the devices that the Archiver will be aggregating from.  Usually this would be log decoders.  Archiver functions much like concentrator, with particular emphasis on aggregating from sources pulling in logs.

 

Hopefully this answers some (most?) of your questions.

Alan

0 Likes

Go to solution
Anonymous
Not applicable

‎2015-09-24 06:21 PM

SA can have reports from Archiver an also from workbench, however workbench is not required unless you want to have your archiver data backed up and ready for restore ( but they are de same data). So just like Alan said you need yo verify that index-archiver.xml has the metakeys you need, otherwise add metakeys to index-archiver-custom.xml that you need to be displayed on your report.

 

regards

Dave

0 Likes

Go to solution
KEVINDIENST
Beginner
Beginner

‎2015-10-14 05:04 PM

FYI - I've had to do some of this work and here is what you need to do.

 

First of all the Workbench is designed to bring data BACK from say NAS or cold storage after it is rolled off the archiver. Say you have 1 year retention on archivers and configure the cold storage off to NAS then if you need to report on that older data you have to use the workbench and you'll need either space on your DAC's or scratch space connected to the archiver to reprocess/decompress the log data.

 

Second, the archiver aggregates off the log decoders. When you add the log decoder service to the archiver by default it collects around 40 meta keys. If you want to add custom meta keys then you need to add the service (don't start aggregation and don't enable autostart of aggregation). Make sure that status of the log decoder under Archiver aggregation is offline and then go to Explore interface of the Archiver service. Under Archiver > Devices > Log Decoder IP > Config in the left hand pane will be a options field, make sure you add any custom meta at the end of the metaInclude= value

Example:

metaInclude=action,alert,custom1,custom2

 

It should save automatically and then go back to Archiver config screen and toggle service to turn it on. Then start aggregation and re-enable autoaggregate capture.

 

Third, you should have the index-archiver-custom.xml file updated to reflect these new keys for each archiver you plan to have aggregating these custom fields.

 

Hope that helps.

© 2022 RSA Security LLC or its affiliates. All rights reserved.