NetWitness Community

MikeKuter · ‎2017-05-17

Hi, I have been trying to find a effective and repeatable way to extract capacity information via REST API in Netwitness Logs and Packets. We have 130 devices altogether so going manually to each one in order to get this info is pretty tiresome. Essentially what I am looking for is to get the storage size as well as retention for mainly the concentrators and decoders. I unfortunately know next to nothing regarding python scripts but I was curious if anyone has already put together some sort of script that might be able to accomplish something like this?

Thank You,

Mike Kuter

NaushadKasu1 · ‎2017-05-17

You can view it in Health & Wellness, assuming you’re on a version that supports this metric. See screenshots.

MikeKuter · ‎2017-05-17

Thank you, but sadly that doesn't help all that much right now as we continue to have SMS issues in our environment. We constantly get this issue

The only work around I have found to fix this is stopping sms, stopping jettsrv and restarting those services, which really isn't a viable solution for us given the volume and amount our system is utilized.

I am also looking for something that eliminates as much human error as possible. Instead of going one by one for each device and manually typing each Retention Date, used storage space and default capacity I am trying to see if there is anything that people have done from a command line using REST API or something similar.

AndreasFunk · ‎2017-05-18

Hi Mike,

you can use NwConsole to get the statistics for all hosts.

To list the system statistics, issue the following command to the appliance port of each host:

NwConsole -c login <host IP>:56006:ssl admin netwitness -c /sys/stats ls

RSA Security Analytics Console 10.6.3.0

>login localhost:56006:ssl admin netwitness

Successfully logged in as session 547

>/sys/stats ls

56:0x0000000000200200 /sys/stats/build.date (Build Date) = Mar 24 2017

59:0x0000000000200200 /sys/stats/config.filename (Configuration Filename) = NwAppliance.cfg

45:0x2000000000200200 /sys/stats/cpu (CPU) = 60%

51:0x0000000000200200 /sys/stats/current.time (Current Time) = 2017-May-18 07:15:48

57:0x0000000000200200 /sys/stats/hostname (Hostname) = SASVRFFM1

46:0x2000000000200200 /sys/stats/memory.process (Process Memory) = 20606976

49:0x2000000000200200 /sys/stats/memory.process.max (Max Process Memory) = 101392592896

47:0x2000000000200200 /sys/stats/memory.system (System Memory) = 82028167168

48:0x0000000000200200 /sys/stats/memory.total (Total Memory) = 101392592896

60:0x0000000000200200 /sys/stats/module (Module) = appliance

55:0x0000000000200200 /sys/stats/revision (Revision) = 84de2978a42b0153f151233ae9cba1619e2af657

50:0x0000000000200200 /sys/stats/running.since (Running Since) = 2017-May-03 06:52:34

58:0x0000000000200200 /sys/stats/service.name (Service Name) = SASVRFFM1

61:0x2000000000200200 /sys/stats/service.status (Service Status) = Ready

54:0x0000000000200200 /sys/stats/system.info (System Info) = Linux 2.6.32-642.15.1.el6.x86_64 #1 SMP Fri Feb 24 14:31:22 UTC 2017 x86_64

52:0x0000000000200200 /sys/stats/uptime (Uptime) = 1297394,2 weeks 1 day 23 minutes 14 seconds

53:0x0000000000200200 /sys/stats/version (Version) = 10.6.3.0-7118.5.84de297

If you want to get just one value from that list, issue the "get" command like the following example:

NwConsole -c login <host IP>:56006:ssl admin netwitness -c /sys/stats/cpu get

RSA Security Analytics Console 10.6.3.0

>login localhost:56006:ssl admin netwitness

Successfully logged in as session 574

>/sys/stats/cpu get

32%

To get statistics for a service, e.g. decoder capture rate, you need to use the service port and the corresponding path. All paths can be found in the explore view of the devices also:

NwConsole -c login <host IP>:56002:ssl admin netwitness -c /decoder/stats ls

RSA Security Analytics Console 10.6.3.0

>login <host IP>:56002:ssl admin netwitness

Successfully logged in as session 150177

>/decoder/stats ls

351:0x2000000000200200 /decoder/stats/assembler.client.bytes (Assembler Client Bytes) = 109069456117

356:0x2000000000200200 /decoder/stats/assembler.client.goodput.rate (Assembler Rate Client Goodput (current)) = 5

[...]

336:0x2000000000200200 /decoder/stats/capture.packet.rate (Capture Packet Rate (current)) = 1000

[...]

NwConsole -c login <host IP>:56002:ssl admin netwitness -c /decoder/stats/capture.packet.rate get

RSA Security Analytics Console 10.6.3.0

>login <host IP>:56002:ssl admin netwitness

Successfully logged in as session 150230

>/decoder/stats/capture.packet.rate get

994

Best regards

Andreas

MikeKuter · ‎2017-05-18

This is great! Thank you!

Anonymous · ‎2017-05-18

I've posted a script here https://community.rsa.com/thread/134393 that may help. You can easily customise the necessary endpoints at the top of the code and there's details on how to constantly run it against multiple devices.

Hope it helps!

Cheers,

Rui

MikeKuter · ‎2017-05-18

Oh that's nice too. I will mess around with that. Much appreciated.

Anonymous · ‎2017-05-18

Thank you! Do let me know if you hit any issues. I did update it recently for some changes on the REST API output.

NetWitness Community

Is there a way to get Capacity KPI using REST?