2015-01-16 11:38 AM
I'm looking to generate report for all reporting & non-reporting event sources from SA V10.4. Anyone knows how to do that?.
Thanks!!
2015-02-03 06:07 AM
Hi Ravick,
Maybe the below NwConsole command could help you out? You could pipe this to a file and then perform post-processing in excel. This below command will Show all devices and their source IP and count of logs, and last time log seen.
NwConsole -c login localhost:50002 <username> <password> -c decoder logStats |grep -e device | awk -F " " '{print $2","$4","$5","$6}' |sed 's/device=//;s/source=//;s/count=//;s/time="//'
The output looks like the below:
bigip,192.168.183.12,2250,2014-Dec-18
bigip,192.168.183.136,164,2014-Dec-18
bluecoatdirector,192.168.183.12,1,2014-Dec-16
bluecoatdirector,192.168.183.136,1,2014-Dec-17
checkpointfw1,::1,64,2014-Dec-18
ciscorouter,192.168.183.12,176,2014-Dec-18
crossbeamc,192.168.183.12,2323,2014-Dec-09
crossbeamc,192.168.183.136,2688,2014-Dec-18
fortinet,::1,414,2014-Dec-18
rhlinux,192.168.183.12,14333,2014-Dec-18
rhlinux,192.168.183.136,768,2014-Dec-18
rhlinux,source,309,1970-Jan-01
tippingpoint,192.168.183.12,176918,2014-Dec-18
tippingpoint,192.168.183.136,184,2014-Dec-18
unknown,192.168.183.12,99852,2014-Dec-18
unknown,192.168.183.131,205,2014-Nov-25
unknown,source,194415,1970-Jan-01
winevent_nic,192.168.183.131,262,2014-Nov-25
2015-02-03 10:03 AM
Thanks LeeKirkpatrick!!
This is what exactly I'm looking for..Could you please explain NW console?..Where I should run this command to get this result?..RSA SA or Broker or Decoder or Log Collector?.
Hope it includes all Log Sources.
2015-02-03 10:24 AM
Hey Ravick,
No problem.
NwConsole is available on all appliances and it allows you to interact with the various NetWitness services (Log Collector, Log Decoder, Broker, etc). Using NwConsole allows you to change settings, invoke commands, etc.
So in this case, as the statistics we are interested in are on the Log Decoder, we are going to run the NwConsole command via SSH on the Log Decoder itself. We are then just piping it through AWK and SED to massage the output to CSV for your post-processing.
This command would show all log sources that have ever sent a log to the Log Decoder (unless someone has deleted the stats).
2015-02-03 11:25 AM
I'm getting the below error while login to decoder using NwConsole command.
"Server did not return our connection id. Possible cause: SSL may be enabled."
Do you know how can I access with SSL?.
2015-02-04 07:13 AM
When using SSL you must use the following syntax:
NwConsole -c login localhost:50002:ssl
2015-02-04 08:59 AM
I saw that syntax in help so I tried it but it's exiting with Invalid Username & Password error.
I'm getting the other error when I'm not using "ssl" syntax.
2015-02-04 09:10 AM
If you receive the username and password error you will need to change the username and password, in the command I gave you I did not supply them as they would be different on your appliances to mine:
NwConsole -c login localhost:50002:ssl <user> <password>
2015-02-04 09:20 AM
I'm not that much dump!!..I executed that command with user "admin" & it's password. I also tried with username "root" but same error. Is there any special username to execute NwConsole?.
I think If there is no special user to use then it's a issue with command syntax. Please correct me if I'm wrong.
2015-02-04 09:23 AM
Forgot to mention, we are using a different port number i.e. 56002. too.
2015-02-04 09:31 AM
It will be the user you used to add the appliances in the GUI. This is normally "admin" unless otherwise specified.
If using the port number 56002 as this is the new native SSL port, you must add the SSL option.