NetWitness Community

AlexColella · ‎2014-08-06

Hi Everyone,

We currently have the RSA SA logging several different sources and was hoping to run a scheduled report of the EPS by log collector and if possible even event source (cisco ASA, windows etc). I've combed through available documents but no luck. Any help would be greatly appreciated. Thanks.

Anonymous · ‎2014-08-06

The only place that I know you can grab EPS is by going into explorer or the rest API. If you go to your logdecoder then explorer it is under database/stats/packet.rate. You can then get that value as often as you want.

Via the rest API you would use the following URL, with your IP in place. hxxp://{YOURIP}:50102/database/stats/packet.rate?msg=get&force-content-type=text/plain&expiry=600

One thing I do not know how to do is pass the username and password for a script in the rest API.

LeeKirkpatrick · ‎2014-08-07

Hey,

Seans REST call is great. If you want to pass it credentials you could use the following:

curl –k –u “<user>:<password>” http://{YOURIP}:50102/database/stats/packet.rate?msg=get&force-content-type=text/plain&expiry=600

You could also utilise an NwConsole command from SSH to grab this information:

NwConsole -c login localhost:50002 <user> <password> -c database/stats ls |grep -i packet.rate

You could subsequently pipe the output to a text file if you wish.

RSAAdmin · ‎2014-08-07

Hey Lee,

I'm sure there was a way to capture EPS by monitoring low-level rabbitmq activity. Is this supported/ recommended?

Is something coming in 10.4 that easily allows for monitoring of EPS do you or anybody know?

Thanks,

Patrick

AlexColella · ‎2014-08-07

Thanks everyone for the info. The issue is we have multiple collectors handing logs off to SA and I need to be able to get an EPS rating for individual collectors and even if possible, more granular - EPS per event source. I appreciate the assistance.

RSAAdmin · ‎2014-08-08

Your best hope is definitely using the rest api that Lee mentioned. Or a less scientific way is try some rapid f5 work to refresh the page on a per device basis over rest

LeeKirkpatrick · ‎2014-08-08

Hey Patrick,

You could take a look at the following locations to monitor EPS by collection method:

NwConsole -c login localhost:50001 <user> <password>-c logcollection/windows/stats/eventsources ls |grep -i total_events_rate

NwConsole -c login localhost:50001 <user> <password>-c logcollection/file/stats/eventsources ls |grep -i total_events_rate

NwConsole -c login localhost:50001 <user> <password> -c logcollection/odbc/stats/eventsources ls |grep -i total_events_rate

etc, etc

LeeKirkpatrick · ‎2014-08-08

That's a very good way to get RSI

RSAAdmin · ‎2014-08-08

Cool - cheers.

Obviously our SA dev friends will be implementing a pretty graph which can be presented in a dashboard in 10.4 won't they?

Anonymous · ‎2014-08-08

I would like to see EPS but that is mostly troubleshooting. If they had to get anything into 10.4 I would love to see Security Logging for SA and a streaming event window, similar to EnVision and every other SIEM.

NetWitness Community

Report on EPS per event source in RSA SA