NetWitness Community

GuyBruneau · ‎2017-08-23

I needed to know how far back I can search my packets, logs and metadata and I created a shell script (netwitness_stats.sh) that runs on the SA Broker every 30 minutes that provides meta and packets statistics for a Concentrator, Decoder and LogDecoder.

Description:
# This script gets the statistics from the Concentrator/Decoders and create a
# web page that can be reviewed by the analysts.

# Statistics on SA server at URL: http://sa/stats/ (sa = the SA Broker IP or DNS name)

# Place the netwitness_stats.sh script in the /root/scripts directory.
# If it doesn't exist, create it and then add the following cronjob
# that will run every 30 minutes.

# To add the cronjob do: cronjob -e
# add the following two lines and save it.

# These statistics are queried every 15 minutes.
# 0,30 * * * * /home/scripts/netwitness_stats.sh > /dev/null 2>&1

Here is an example of the report which is updated every 30 minutes via cron

JayWatson · ‎2017-08-24

Thanks Guy - Super useful. Ideally if RBAC was more granular this would be somewhat visible to the analysts without the need for a script. Maybe v11 will consider this.

Anonymous · ‎2017-08-24

Great post Guy. Thank you for sharing.

Chris

JohnKisner · ‎2017-09-07

As an aside you can also go into Health & Wellness under the System Stats browser. Select Concentrator, Decoder and Log Decoder. Then set the Category for Database. You can then use the Statistics field and look for all Oldest File Time. Then you can filter by host name if you like. These statistics will also show you how far back all your different databases go in a less automated fashion.

PawelWisniewski · ‎2018-07-04

Hi Guy - unfortunately script doesn't work under NW 11.1 (Centos 7) ...

I'm wondering if you modify your scripts and adjust to present NW version.

NetWitness Community

NetWitness Statistics Script