This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Upload Log to Decoder not enabled?

AndrewPowell
Beginner
Beginner

‎2017-08-30 11:50 AM

How can I enable the Upload Log File button, which is currently grayed out/disabled in Admin -> Services -> [our log decoder] -> System?  When I mouse over it, the tooltip says "upload logs from local files to undefined for processing"

 

How can I define the "undefined"? 

 

Any suggestions?  Thank you in advance for any/all help!

0 Likes
3 REPLIES 3

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-08-30 12:46 PM

Andrew,

 

You have to stop capture on the Log Decoder (done on the same screen, button right now to Upload Load File). Once the Log Decoder stops the capture completely (takes a few seconds), then the Upload Log File will be active for you to click and load/inject your log file.

 

Naushad A Kasu | Senior Practice Consultant, Professional Services | RSA | m: 612.772.5843 | e: naushad.kasu@rsa.com<mailto:naushad.kasu@rsa.com> | www.rsa.com<http://www.rsa.com/>

 

UPCOMING OUT OF OFFICE

Conference: Training: October 3-6

 

<https://community.rsa.com/welcome>

<https://community.rsa.com/welcome>

Preview file
3 KB
Preview file
4 KB
0 Likes

GuyBruneau
Frequent Contributor
Frequent Contributor

‎2017-08-30 02:12 PM

Another option is to copy NwConsole to a CentOs workstation (ver 6.7 is best) and upload the packets.

 

This way the decoder capture can be running to import the packets

 

cd to directory where the packets are located

$ NwConsole

> login decoder:50004 admin password

<decoder:50004]> import *.pcap (The import prefer to have .pcap extension to import)

 

The other option is to mount the drive on a decoder and do the above.

 

If you are going to import packets quite often, I also suggest you create an account for that decoder under the security tab with a role of decoder.manage (only) and a user account that use that role only. That account can only import packets from that decoder for better security.

0 Likes

EricPartington
Employee
Employee

‎2017-09-01 11:17 AM

You can also investigate using NwLogplayer to replay the logs to a log decoder/VLC

 

NwLogPlayer -r 1 --rate 1 -f /DemoTools/logs/relay_10.6.2.log -s 192.168.1.118 -p 514

 

It might not be installed OOTB on the log decoder but you should be able to install the package from yum manually from the RSA repo.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.