NetWitness Community

Guillaume · ‎2019-03-04

Hello, I have custom logs that I would like to upload to rsa netwitness via the RESTful API. get the address and the port of my decoder but I have the following error message:" 400 Bad Request: Packet import can not execute while live capture is running". Actually in the documentation: https://community.rsa.com/docs/DOC-100559

it is well indicated on page 10 that: "Note: The DECODER cannot be competitively importing or capturing, or an error results."

How we can do ? Is it then necessary to dedicate a decoder to the reception of logs uploaded via API-REST ?

Best regards

EricPartington · ‎2019-03-04

If you are uploading logs you can use nwlogplayer binary to replay logs to the capture interface of the LD without needing to stop capture

I use the process to script uploading of logs via nwlogplayer (yum install nwlogplayer)

NwLogPlayer.exe -s 192.168.254.115 -r 3 -f "C:\Demo Tools\Logs\UC2_Spamhost_LOGS.log"‍‍

If you are uploading via the sdk you must stop capture before uploading. I wrote this script to help me with the process (stop capture, upload file, start capture).

@echo off 
REM V2 of script to stop and start capture for capture
setlocal enableDelayedExpansion 
set MYDIR=C:\Users\windows_user1\Desktop\pcap
set CURL_LOC=c:\Users\windows_user1\Desktop\
REM start capture
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=stop -d 'force-content-type=text/plain'
echo +======= Waiting for capture to stop =======+
REM pause to wait for capture to stop
TIMEOUT /T 15
for /F %%x in ('dir /B/D %MYDIR%') do ( 
 set FILENAME=%MYDIR%\%%x 
 echo +======= Uploading !FILENAME! to Decoder =======+ 
 REM c:\Users\windows_user1\Desktop\curl.exe -u admin:netwitness -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
 %CURL_LOC%\curl.exe -u admin:password -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
)
REM wait for pcap to finish
TIMEOUT /T 10
REM start capture
echo +======= Start capture =======+
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=start -d 'force-content-type=text/plain'‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

View solution in original post

EricPartington · ‎2019-03-04

If you are uploading logs you can use nwlogplayer binary to replay logs to the capture interface of the LD without needing to stop capture

I use the process to script uploading of logs via nwlogplayer (yum install nwlogplayer)

NwLogPlayer.exe -s 192.168.254.115 -r 3 -f "C:\Demo Tools\Logs\UC2_Spamhost_LOGS.log"‍‍

If you are uploading via the sdk you must stop capture before uploading. I wrote this script to help me with the process (stop capture, upload file, start capture).

@echo off 
REM V2 of script to stop and start capture for capture
setlocal enableDelayedExpansion 
set MYDIR=C:\Users\windows_user1\Desktop\pcap
set CURL_LOC=c:\Users\windows_user1\Desktop\
REM start capture
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=stop -d 'force-content-type=text/plain'
echo +======= Waiting for capture to stop =======+
REM pause to wait for capture to stop
TIMEOUT /T 15
for /F %%x in ('dir /B/D %MYDIR%') do ( 
 set FILENAME=%MYDIR%\%%x 
 echo +======= Uploading !FILENAME! to Decoder =======+ 
 REM c:\Users\windows_user1\Desktop\curl.exe -u admin:netwitness -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
 %CURL_LOC%\curl.exe -u admin:password -F fileupload=@!FILENAME! http://192.168.254.184:50104/decoder/import 
)
REM wait for pcap to finish
TIMEOUT /T 10
REM start capture
echo +======= Start capture =======+
%CURL_LOC%\curl.exe -u admin:password http://192.168.254.184:50104/decoder?msg=start -d 'force-content-type=text/plain'‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Guillaume · ‎2019-03-06

Hello Eric,

It works perfectly !

Thanks

Best regards

NetWitness Community

How to upload custom logs to RSA NetWitness using the RESTful API if the decoder runs live capture?