NetWitness Community

Hi Marinos, yes after the last time it went down we disabled it as we can't rely on it. If we hadn't, then as the latest outage happened early on a Saturday morning we would  have come in today to find that our ESA is many millions of sessions behind. I have support ticket 01273363 open for this issue.

This is particularly disappointing as I have been told twice that the service is being monitored.I'm not sure how I am able to detect that the service is down, but RSA is not able to?

At the time of writing it is still down. I can obtain an X-Auth-Token but not get a response when I lookup google.com.

Here is my script for checking that this service is down. I run the script hourly and it results in an email being sent to me.

cloud-check.sh

cd /root/Scripts
echo "ESA Sessions Behind (Should be Zero)" >output.txt
./check_esa_sessions_behind.sh >>output.txt
echo "WhoIS Test Lookup to Google" >>output.txt
./cloud-whois-bank.sh google.com >>output.txt 2>&1
python email-whois.py

more check_esa_sessions_behind.sh

#!/bin/bash
#David Waugh ex RSA
#This script will display the current maximum value of the sessionsBehind for an
y aggregating source of the ESA

E_OK=0
E_WARNING=1
E_CRITICAL=2
E_UNKNOWN=3

#Get the stream names
Perfdata=""
Output=""

behind=$(echo -e "cd /Workflow/Source/nextgenAggregationSource\ndump\nexit" |
/opt/rsa/esa/client/bin/esa-client |grep sessionsBehind | cut -d ":" -f 2 |cut
-d " " -f 2 |cut -d "," -f 1 |sort -nr |head -n 1)
Output+="Sessions behind: "
Output+=": "
Output+=$behind
Output+=" "
Perfdata+="Sessions_behind"
Perfdata+=\=
Perfdata+=$behind
Perfdata+=""

#echo $Output\|$Perfdata\;\;
#exit 0

show_help() {
echo "$0 -w VALUE -c VALUE | -h"
echo
echo "This plug-in is used to be alerted when maximum ESA behind session
s is reached"
echo
echo " -w/c Sessions behind integer"
echo " To warn when 200 sessions behind and critical when 300 sessions b
ehind"
echo " example: $0 -w 200 -c 300"
}

# process args
while [ ! -z "$1" ]; do
case $1 in
-w) shift; WARNING=$1 ;;
-c) shift; CRITICAL=$1 ;;
-h) show_help; exit 1 ;;
esac
shift
done

# check input parameters so we can continue !
sanitize() {

# check thresholds
if [ -z "$WARNING" ]; then
WARNING=500
#echo "Need warning threshold"
#exit $E_UNKNOWN
fi
if [ -z "$CRITICAL" ]; then
CRITICAL=1000
#echo "Need critical threshold"
#exit $E_UNKNOWN
fi
}
# check args
sanitize

OUTPUT=""
EXITCODE=$E_OK
# check behind
if [ $behind -gt $WARNING ]; then
if [ $behind -gt $CRITICAL ]; then
OUTPUT="CRITICAL behind (>$CRITICAL), "
EXITCODE=$E_CRITICAL
else
OUTPUT="WARNING behind (>$WARNING), "
EXITCODE=$E_WARNING
fi

else
OUTPUT="OK"
fi

#echo "${OUTPUT} ${Output}|${Perfdata};;;;"
echo "${behind}"
exit $EXITCODE

more cloud-whois-bank.sh
#!/bin/bash
#set -x
export http_proxy=http://1.2.3.4:8080/
export https_proxy=https://4.5.6.7:8080/
if [[ $# -eq 0 ]] ; then
echo "$0 requires at least the name of the domain to look up"
exit 1
fi

CMD="/usr/bin/curl -sk"
domain=$1
username=${2:-"myliveusername"}
password=${3:-"mylivepassword"}
whois_host=${4:-"https://cms.netwitness.com"}
debug=${5:-"Y"}
resp_headers_file=`mktemp --tmpdir resp_headers.XXXXXX`
auth_path="authlive/authenticate/WHOIS"
auth_header="Content-Type: application/json"
auth_data="{\"X-Auth-Username\":\"${username}\",\"X-Auth-Password\":\"${password
}\"}"
query_path="whois/query/$domain"

getToken() {
# Authorize your access using a POST of the login parameters
if [ "$debug" == "Y" ];
then
echo -e "Authenticate:\ncurl -sk -H \"${auth_header}\" -X POST -
d @auth.json -D ${resp_headers_file} -o /dev/null"
echo -n
fi
$CMD -H "${auth_header}" -X POST -d @auth.json "${whois_host}/${auth_pat
h}" -D ${resp_headers_file} -o /dev/null
token_header=$(cat ${resp_headers_file} | tr -d '\r' | grep '^X-Auth-Tok
en:')
if [ -z "$token_header" ]; then
echo "X-Auth-Token is empty."
else
echo $token_header > ~/.cloud-whois
fi
}

query() {
# Do the query now
if [ "$debug" == "Y" ];
then
echo "Query: $CMD -H \"${auth_header}\" -H \"${token_header}\" \
"${whois_host}/${query_path}\" | tr -d '\r' | python -m json.tool"
echo -n
fi
if [ -z "$token_header" ]; then
echo "Skipping query because no X-Auth-Token."
else
$CMD -H "${auth_header}" -H "${token_header}" "${whois_host}/${query_pat
h}" -D ${resp_headers_file} | tr -d '\r' | python -m json.tool
rm -f ${resp_headers_file}
fi
}

if [ ! -f ~/.cloud-whois ] || test `find ~/.cloud-whois -mmin +60`
then
getToken
else
token_header=`cat ~/.cloud-whois`
echo -e "\n"
echo "Using existing X-Auth-Token from ~/.cloud-whois."
echo -e "\n"
fi

#query
query

email-whois.py 

# Import smtplib for the actual sending function
import smtplib

# Import the email modules we'll need
from email.mime.text import MIMEText

# Open a plain text file for reading. For this example, assume that
# the text file contains only ASCII characters.
fp = open('output.txt', 'rb')
# Create a text/plain message
msg = MIMEText(fp.read())
fp.close()

# me == the sender's email address
# you == the recipient's email address
msg['Subject'] = 'Cloud WhoIs Check'
msg['From'] = 'siem@mydomain.com'
msg['To'] = 'email1@mydomain.com'

# Send the message via our own SMTP server, but don't include the
# envelope header.
s = smtplib.SMTP('1.2.3.4')
s.sendmail('siem@mydomain.com', ['email1@mydomain.com','email2@mydomain.com'], msg.as_string())
s.quit()

Thanks for sharing the script, even though I would only use Whois in test environment.

Well, saying that they do vs providing evidence that it is actually monitored are two different things. I think someone would have replied if they did. Not to mention that there should have been an e-mail going out to customers regarding the outage or at least some note on Link homepage. So again, actions speak louder than words:)

Anyway, just to play ball with RSA's fixation about RFEs,  I created an Idea to make a Service Status page Create a Service Status page for all RSA hosted services 

Perfect for production environments