NetWitness Community

Visham,

Rajbir does have a point in that if the packetdb does hit its limit and starts to roll over data those raw logs will no longer be available during investigations. This is the reason we always suggest to our customers to have an archiver available to provide for longer term storage of the raw logs. In my personal experience I've seen a customer's log decoder packetdb have more retention then their concentrator due to logs, in general, taking up very little space compared to the meta generated from those logs. If the indexes or meta on a concentrator roll out before the logs on the log decoder, the logs become inaccessible anyway.

Please note that under most circumstances the raw logs, once processed, should no longer be needed for a comprehensive investigation of an issue. Each log is parsed extensively to provide all the meta you should need to perform your investigation even without the raw logs. I'm sure there are those in the community that may disagree with me on this but I suspect it is because they started their network analysis career using Wireshark and other similar tools. There is nothing wrong with this, I suspect they are just more comfortable or familiar with that way of analyzing data in these tools. Netwitness is different from these tools in that its specifically designed to generate a massive amount of meta data from each raw log so that the raw log is secondary and used primarily for compliance purposes only. If you have to review the raw logs during an investigation to find information then our parser may need an update to allow more meta to be created. This is why more stress is placed on the storage of the concentrator than of the log decoder. The concentrator's meta, session, and indexes are what your Investigation relies on 98% of the time. The remaining 2% or less is reviewing the raw logs. 

I wanted to reply so that everyone had a clearer picture of how Netwitness handles data retention, why certain database partition sizes are important, and to show that sometimes when working with Netwitness it requires a different way of looking at the data captured. 

Thank you Rajbir, very clear now!

Hi John,

Thanks for the detailed explanation. Much clearer now.

Just a quick query, and I'm glad you brought it up, since I've been wondering about it.

What if a built-in parser isn't creating meta for a particular piece of data within the event log, which is important for a certain use case? Is there a way to update it? Does RSA make such updates?
To be specific, there is a popular attack called Kerberoasting, which needs the parsing of Ticket Encryption Type and Service Name from within the event log. However, I see that RSA's built-in parser isn't meta-tagging these values, and simply ignoring them.

What do you think my options are, in such a case?

In this situation you can put in a case with Netwitness Support for an update to the base parser for that log type and our Content team will make the needed update. If you do submit such a ticket please make sure to provide several samples of the log type and show what pieces you are looking for that need to be parsed. Any details as to its usage helps as well, such as saying it is for an attack called Kerberoasting. Please note the content updates do not happen immediately. It can take some time depending on complexity of the request and their current backlog of updates/additions.

The other option is to take the existing parser and using the Log Parsing Tool https://community.rsa.com/docs/DOC-94172 and create your own parser. This tool allows you, with a sample of the log, to designate what information you want to put into what meta keys. 

If you are looking for a new event source to be supported I suggest going to the RSA Ideas page https://community.rsa.com/community/products/netwitness/ideas and putting the request there. This allows others to vote on new features/event sources for addition to the product.

I hope this helps to answer your question.

Thanks John! I'll do so accordingly