This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

If the meta keys is same for concentrator,how can i verify if all the concentrators have the same brokers,decoders...?

Go to solution
pranavsankar1
Beginner
Beginner

‎2016-05-23 10:25 AM

Hi All,

 

If the meta keys is same for concentrator,how can i verify if all the concentrators have the same brokers,decoders...?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2016-05-24 04:19 AM

Hi,

 

You can use the SDKLanguage call to retrieve the keys each device is aware of, in this case the easiest would probably be through a REST API Call as show below:

 

https://<concentrator_ip>:50105/sdk?msg=language&size=1000&force-content-type=text/plain

 

The result should look something like this:

 

[id1=175  id2=174
id1=0  id2=0  count=0  format=32  value=Time  type=time  flags=2147484691  group=1
id1=0  id2=0  count=0  format=8  value=Remote Session ID  type=rid  flags=2147483906  group=2
id1=0  id2=0  count=0  format=65  value=Concentrator Source  type=cid  flags=2147484675  group=3
id1=0  id2=0  count=0  format=65  value=Decoder Source  type=did  flags=2147484691  group=4
id1=0  id2=0  count=0  format=65  value=Alerts  type=alert  flags=2147484163  group=5
id1=0  id2=0  count=0  format=65  value=Risk: Informational  type=risk.info  flags=2147484163  group=6
id1=0  id2=0  count=0  format=65  value=Risk: Suspicious  type=risk.suspicious  flags=2147484163  group=7
id1=0  id2=0  count=0  format=65  value=Risk: Warning  type=risk.warning  flags=2147484163  group=8
<cut for brevity>
id1=0  id2=0  count=0  format=6  value=Payload Transmit Bytes  type=txbytes  flags=2147484417  group=172
id1=0  id2=0  count=0  format=6  value=Payload Receive Bytes  type=rxbytes  flags=2147484417  group=173
id1=0  id2=0  count=0  format=2  value=Payload Transmit Receive Ratio  type=bytes.ratio  flags=2147484419  group=174
]
 

 

If you execute one of these against each device you will have the keys for each you can then compare them, the only issue could be that the order is not the same.The first two values are the size/number of entries that alone should help to confirm you have the same amount on all devices.

 

You can run this same call against all devices however the results would be different in some cases, namely flags on a decoder.

 

Hope this helps!

 

Cheers,

 

Rui

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
Anonymous
Not applicable

‎2016-05-24 04:19 AM

Hi,

 

You can use the SDKLanguage call to retrieve the keys each device is aware of, in this case the easiest would probably be through a REST API Call as show below:

 

https://<concentrator_ip>:50105/sdk?msg=language&size=1000&force-content-type=text/plain

 

The result should look something like this:

 

[id1=175  id2=174
id1=0  id2=0  count=0  format=32  value=Time  type=time  flags=2147484691  group=1
id1=0  id2=0  count=0  format=8  value=Remote Session ID  type=rid  flags=2147483906  group=2
id1=0  id2=0  count=0  format=65  value=Concentrator Source  type=cid  flags=2147484675  group=3
id1=0  id2=0  count=0  format=65  value=Decoder Source  type=did  flags=2147484691  group=4
id1=0  id2=0  count=0  format=65  value=Alerts  type=alert  flags=2147484163  group=5
id1=0  id2=0  count=0  format=65  value=Risk: Informational  type=risk.info  flags=2147484163  group=6
id1=0  id2=0  count=0  format=65  value=Risk: Suspicious  type=risk.suspicious  flags=2147484163  group=7
id1=0  id2=0  count=0  format=65  value=Risk: Warning  type=risk.warning  flags=2147484163  group=8
<cut for brevity>
id1=0  id2=0  count=0  format=6  value=Payload Transmit Bytes  type=txbytes  flags=2147484417  group=172
id1=0  id2=0  count=0  format=6  value=Payload Receive Bytes  type=rxbytes  flags=2147484417  group=173
id1=0  id2=0  count=0  format=2  value=Payload Transmit Receive Ratio  type=bytes.ratio  flags=2147484419  group=174
]
 

 

If you execute one of these against each device you will have the keys for each you can then compare them, the only issue could be that the order is not the same.The first two values are the size/number of entries that alone should help to confirm you have the same amount on all devices.

 

You can run this same call against all devices however the results would be different in some cases, namely flags on a decoder.

 

Hope this helps!

 

Cheers,

 

Rui

0 Likes

Go to solution
DavidWaugh1
Employee
Employee

‎2016-05-24 04:40 AM

Hi why not just look at the index-concentrator*.xml files in the /etc/netwitness/ng directory on the concentrator.

 

These determine the meta keys used on the concentrator.

0 Likes

Go to solution
Anonymous
Not applicable
In response to DavidWaugh1

‎2016-05-24 04:50 AM

Mainly for 2 reasons, one those may not actually be loaded if the service wasn't restarted and  someone could have changed the default files, I guess if you compare them both then you are covered.

 

The other you would need root on the box, this method any service account for a regular user would have the necessary privileges.

 

But yes, you could follow that route too. A language call is actually what SA uses to determine available keys from each device regularly.

 

Also the question was for all devices, which would mean different files on each, while the call is always the same, yes the port will change. Finally, the latest versions of the product don't actually require index-*.xml files to work for decoders and brokers, brokers will merge the keys from the underlying devices so the files may not actually reflect the keys available and decoders load keys on the fly from parsers, feeds and rules.

 

Hope this helps!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.