This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Investigator Setup

MichaelPochan
Beginner
Beginner

‎2017-03-21 04:40 PM

We currently have investigator 10.6 but have been unable to use it and would like to test lua parsers with it. 

 

pastedImage_1.png

 

From this error, I assume it's not connecting to our proxy, but I see no way to enter proxy information. 

 

Trying to do the enterprise install, which device should be point the remote collection to? Broker over 56003?

 

We haven't been successful tying it to any of our devices. 

0 Likes
6 REPLIES 6

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2017-03-21 04:48 PM

I can't help with your error, sorry.

 

However, for testing lua parsers you'd import pcaps into it - they will be parsed by the parsers enabled in Investigator.  You don't need to connect it to another device (e.g., broker).  Anything pulled from another device has already been parsed by Decoder.

0 Likes

MichaelPochan
Beginner
Beginner
In response to WilliamMotley1

‎2017-03-21 06:22 PM

Yeah, ideally I'd like to do the freeware version and import the pcaps I have to test with our parsers. Just can't get the registration down since I can't point it to our proxy. 

0 Likes

GuyBruneau
Frequent Contributor
Frequent Contributor
In response to MichaelPochan

‎2017-03-23 11:07 AM

Michael,

 

Just make sure your proxy information is correctly entered in your browser and it should be able to connect to your Broker/Concentrator.

0 Likes

Anonymous
Not applicable

‎2017-03-24 07:13 AM

You can point it to any of your core appliances.  Decoder, Log decoder, Concentrator, or Broker.  While the native ports should work (50004, 50002, 50005 and 50003 respectively), if you are using SSL on those appliances, you may need to use different ports (56004, 56002, 56005 and 56003 respectively).  Remember you will also need an account on those appliances to connect.  This is not the same as your SA account.

 

Also, do you need the proxy?  Since this is essentially connecting directly to the appliance ports, you may not even need it.  However, if you are not able to connect to the ports, there could be other restrictions between you and the appliance.

 

Chris

MichaelPochan
Beginner
Beginner
In response to Anonymous

‎2017-03-24 08:32 AM

Thanks Chris. I was only concerned about using the proxy for the freeware registration which I couldn't get to work. For the account on the appliances, is this something separate from the NwConsole account (ie just regular shell account?). 

0 Likes

Anonymous
Not applicable
In response to MichaelPochan

‎2017-03-24 08:40 AM

No..that would be it.  The account used with NwConsole is local to the service (decoder, concentrator, broker).  If the admin account is not in use or the password had changed, you would just need to make sure you had and used an account, which could be added through SA.  You would go to Administration, Services, select the core service, and click View/Security.  From there, add the account you need.

 

pastedImage_1.png

 

Please note this is per appliance.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.