NetWitness Community

NaushadKasu · ‎2013-06-08

Has anyone been successful in finding a way to mimic the Device Down functionality from enVision in SA? I'm looking for something as simple a way to query when a particular device (IP or hostname) last sent logs. Maybe some alerting can be handled once this timestamp is found to trespass some threshold.

RSAAdmin · ‎2013-07-30

Log Decoder will have a feature in 10.2 SP2 that you can use to track this. The command /decoder logStats will return all devices and the number of logs received and the UTC timestamp of the last log received.

In 10.3, SA will have additional functionality that can be leveraged to alert on these metrics.

View solution in original post

RSAAdmin · ‎2013-07-30

Log Decoder will have a feature in 10.2 SP2 that you can use to track this. The command /decoder logStats will return all devices and the number of logs received and the UTC timestamp of the last log received.

In 10.3, SA will have additional functionality that can be leveraged to alert on these metrics.

NaushadKasu · ‎2013-07-30

Scott,

Appreciate the reply... by log decoder, do you mean all devices including the ones the log collector service running on the decoder is collecting for as well? I'm hoping that the device down feature will be available in full-feature for example, showing not only syslog collection outage per device (decoder) but also ODBC, File Reader etc... that is collected via Log Collector service.

Also when is 10.2 SP2 scheduled for? We can at least write REST queries to track issues with our log collection until SP3 comes out with the added alerting feature.

RSAAdmin · ‎2013-07-30

The logStats capability only exists on the log decoder, not the log collector, but on the log decoder it will include all log sources, syslog and those that LC sends to LD.

Service Pack 2 is scheduled for later this quarter.

BTW, logStats already exists in 10.2 SP1, but will be enhanced for SP2 to include logs received from LC. SP1 only reports syslog devices.

NaushadKasu · ‎2013-07-30

Scott,

How do you get to that? Where do I run that command? Are you talking about on the REST interface?

RSAAdmin · ‎2013-07-30

Sure, you can run it on the REST interface or in NwConsole or from explorer view. You just have to send the logStats command to the /decoder node of a Log Decoder.

For SP1, you will need to enable the command to track these stats, in SP2 it will be enabled by default.

Example:

http://<ip>:50102/decoder?msg=logStats&enable=true

Then you can just query the stats:

http://<ip>:50102/decoder?msg=logStats

For SP2, there will be additional functionality where you can query for only certain devices that match a regex and who haven't sent a log outside of a time window you define and pass as a parameter.

NaushadKasu · ‎2013-07-30

Works! Looks good man.. thanks!

SethGeftic · ‎2013-07-30

The community in action! I love it

NaushadKasu · ‎2013-07-31

Scott,

Looks like a great feature coming up in SP2... thus far you've mentioned this feature as it relates to Log Decoder (Syslog), are there any plans to incorporate it into the Log Collector service as well so we can track devices like Windows, ODBC, FR etc.. that may also have not sent logs in a particular time frame?

RSAAdmin · ‎2013-07-31

In SP2, all logs received on a Log Decoder from a Log Collector will be tracked as well. So Windows, ODBC, FR, etc, will be tracked in Log Decoder after it's received from a Log Collector.

Scott