This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

NW Health Issues

RenatoGoncalves
Beginner
Beginner

‎2018-09-21 09:12 AM

Hello guys

 

Recently it was given to me the task of assuring that NW runs smooth.

 

I was viewing some documentation from the community and saw:

Verification of the 95% threshold

To ensure that the NW database directory sizes are configured with the correct 95% threshold, in the Security Analytics UI:

  1. Go to the Security Analytics service Explore view, right-click on Properties and select reconfig.
  2. In the parameters field, type Update=0 and click Send. The response output will check the host storage and attached storage, and automatically calculates what the 95% threshold is.
  3. When you type Update=1 and click Send, the response output displays the same response as in the previous step, but when you refresh the Explore view, you will see that the session, meta, and packet database directories size have been updated to 95% of the current available storage.
  4. Restart the Concentrator or Decoder service for the changes to take effect.

 

Has im using version 11 and dont know where to go. Is it Admin- Services and then in the concentrator select config? If so where do i put update=0?

 

Thanks

0 Likes
8 REPLIES 8

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-09-21 05:25 PM

Hi Renato,

  These options are in the Explore menu:

 

image003.jpg

 

Under the /database and /index nodes, you can select "config” to see what the current settings for each db are (session.dir and meta.dir under /database/config; and index.dir under /index/config):

 

image005.jpg

 

image007.jpg

 

 

You can run through the steps listed in your question by right-clicking on the /database and /index nodes, selecting "Properties,” and in the frame that opens at the bottom of the page select "reconfig” and enter your commands in the "Parameters” box:

 

image014.jpg

 

image015.jpg

 

image017.jpg

 

Hope this helps.


Mr. Mongo
0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-09-24 05:19 AM

Hello Joshua,

 

Thanks for all the help you giving me throw time.

 

One thing i noticed is that theres been a few changes in the boards. For example: When i try to see if the ESA MongoDB is 5GB, according to the documentation i shoul be doing: Administraton - Services - ESA Event Stream Analisys - View - Explore - Alert - Storage and Maintenance but we do not have the option Storage:

 

Captura de ecrã de 2018-09-24 10-16-42.png

 

Is by any means trustful to follow https://community.rsa.com/docs/DOC-78965#Log ?

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-09-25 06:38 AM

Hello Joshua,

Since you have much more experience than i do in monitoring health for NW may i ask you a question?

Its usual for the IIS to send large chunks of events in a 5H windows and smaller one until it reaches 5H difference?

 

Captura de ecrã de 2018-09-25 09-40-41.png 

 

Captura de ecrã de 2018-09-25 09-40-47.png

 

As you can see its giving us a bigger number of events ( 32.000 as maximum ) and then for 5 hours it only gives us 28, 4, 5 events has you can see in the pictures.

 

Is it normal? Where can i see if its a configuration problem or is it normal according with the configuration that was made by our log decoder/collector admins?

0 Likes

EricPartington
Employee
Employee
In response to RenatoGoncalves

‎2018-09-25 02:01 PM

IIS is normally a file collection deployment so the logs will be sent in a scheduled basis from the IIS server(s).  So if your interval to send logs is 5 hours then thats what you will see.  

https://community.rsa.com/docs/DOC-40237 

Check the guide to see where the configs are for the integration and verify the reporting interval.

0 Likes

RenatoGoncalves
Beginner
Beginner
In response to EricPartington

‎2018-09-26 06:15 AM

Hello Eric,

 

We were thinking that but just needed confirmation of our responsible for log-collector installation and someone whow had much more experience, like you.

 

Thanks for the reply and the help

0 Likes

RenatoGoncalves
Beginner
Beginner
In response to EricPartington

‎2018-11-09 03:29 PM

Hello Eric,

 

Do you know if its possible to receive live IIS logs? In the config guide i only found hourly....

0 Likes

EricPartington
Employee
Employee
In response to RenatoGoncalves

‎2018-11-09 03:52 PM

Not sure I understand your question, IIS logs can be gathered by RSA using the following method

 

https://community.rsa.com/search.jspa?q=IIS&place=%2Fplaces%2F23068&depth=ALL

 

you should be able to change the polling and delivery interval to suit your needs 

0 Likes

RenatoGoncalves
Beginner
Beginner
In response to EricPartington

‎2018-11-09 05:23 PM

We followed the document and we put every 60second, but the events are divided in big chunks every hour and a other events in a live perspective. We could tought that the chunk of events were happening at that point, but after analysis we found that it contains present and past events

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.