NetWitness Community

pranavsankar1 · ‎2016-05-23

Hi All,

If the meta keys is same for concentrator,how can i verify if all the concentrators have the same brokers,decoders...?

RuiAtaide · ‎2016-05-24

Hi,

You can use the SDKLanguage call to retrieve the keys each device is aware of, in this case the easiest would probably be through a REST API Call as show below:

https://<concentrator_ip>:50105/sdk?msg=language&size=1000&force-content-type=text/plain

The result should look something like this:

[id1=175  id2=174
id1=0  id2=0  count=0  format=32  value=Time  type=time  flags=2147484691  group=1
id1=0  id2=0  count=0  format=8  value=Remote Session ID  type=rid  flags=2147483906  group=2
id1=0  id2=0  count=0  format=65  value=Concentrator Source  type=cid  flags=2147484675  group=3
id1=0  id2=0  count=0  format=65  value=Decoder Source  type=did  flags=2147484691  group=4
id1=0  id2=0  count=0  format=65  value=Alerts  type=alert  flags=2147484163  group=5
id1=0  id2=0  count=0  format=65  value=Risk: Informational  type=risk.info  flags=2147484163  group=6
id1=0  id2=0  count=0  format=65  value=Risk: Suspicious  type=risk.suspicious  flags=2147484163  group=7
id1=0  id2=0  count=0  format=65  value=Risk: Warning  type=risk.warning  flags=2147484163  group=8
<cut for brevity>
id1=0  id2=0  count=0  format=6  value=Payload Transmit Bytes  type=txbytes  flags=2147484417  group=172
id1=0  id2=0  count=0  format=6  value=Payload Receive Bytes  type=rxbytes  flags=2147484417  group=173
id1=0  id2=0  count=0  format=2  value=Payload Transmit Receive Ratio  type=bytes.ratio  flags=2147484419  group=174
]

If you execute one of these against each device you will have the keys for each you can then compare them, the only issue could be that the order is not the same.The first two values are the size/number of entries that alone should help to confirm you have the same amount on all devices.

You can run this same call against all devices however the results would be different in some cases, namely flags on a decoder.

Hope this helps!

Cheers,

Rui

View solution in original post

RuiAtaide · ‎2016-05-24

Hi,

You can use the SDKLanguage call to retrieve the keys each device is aware of, in this case the easiest would probably be through a REST API Call as show below:

https://<concentrator_ip>:50105/sdk?msg=language&size=1000&force-content-type=text/plain

The result should look something like this:

[id1=175  id2=174
id1=0  id2=0  count=0  format=32  value=Time  type=time  flags=2147484691  group=1
id1=0  id2=0  count=0  format=8  value=Remote Session ID  type=rid  flags=2147483906  group=2
id1=0  id2=0  count=0  format=65  value=Concentrator Source  type=cid  flags=2147484675  group=3
id1=0  id2=0  count=0  format=65  value=Decoder Source  type=did  flags=2147484691  group=4
id1=0  id2=0  count=0  format=65  value=Alerts  type=alert  flags=2147484163  group=5
id1=0  id2=0  count=0  format=65  value=Risk: Informational  type=risk.info  flags=2147484163  group=6
id1=0  id2=0  count=0  format=65  value=Risk: Suspicious  type=risk.suspicious  flags=2147484163  group=7
id1=0  id2=0  count=0  format=65  value=Risk: Warning  type=risk.warning  flags=2147484163  group=8
<cut for brevity>
id1=0  id2=0  count=0  format=6  value=Payload Transmit Bytes  type=txbytes  flags=2147484417  group=172
id1=0  id2=0  count=0  format=6  value=Payload Receive Bytes  type=rxbytes  flags=2147484417  group=173
id1=0  id2=0  count=0  format=2  value=Payload Transmit Receive Ratio  type=bytes.ratio  flags=2147484419  group=174
]

If you execute one of these against each device you will have the keys for each you can then compare them, the only issue could be that the order is not the same.The first two values are the size/number of entries that alone should help to confirm you have the same amount on all devices.

You can run this same call against all devices however the results would be different in some cases, namely flags on a decoder.

Hope this helps!

Cheers,

Rui

DavidWaugh1 · ‎2016-05-24

Hi why not just look at the index-concentrator*.xml files in the /etc/netwitness/ng directory on the concentrator.

These determine the meta keys used on the concentrator.

RuiAtaide · ‎2016-05-24

Mainly for 2 reasons, one those may not actually be loaded if the service wasn't restarted and someone could have changed the default files, I guess if you compare them both then you are covered.

The other you would need root on the box, this method any service account for a regular user would have the necessary privileges.

But yes, you could follow that route too. A language call is actually what SA uses to determine available keys from each device regularly.

Also the question was for all devices, which would mean different files on each, while the call is always the same, yes the port will change. Finally, the latest versions of the product don't actually require index-*.xml files to work for decoders and brokers, brokers will merge the keys from the underlying devices so the files may not actually reflect the keys available and decoders load keys on the fly from parsers, feeds and rules.

Hope this helps!