This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Use REST API to monitor if a Server is sending logs

Go to solution
BillyMiller
Beginner
Beginner

‎2017-04-03 12:47 PM

Is it possible to use the REST API to monitor if a server stops sending logs?  For instance, we have a list of, say 100, critical servers.  We would like to check on a 20 minute basis and make sure these servers have sent logs via the REST API.  Is this possible?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-04-04 05:24 PM

Health & Wellness should be able to provide visibility into if you are receiving logs or not. Alerts can be setup to let you know when you are no longer seeing logs from a specific event source. You can see it when going to Administration -> Event Sources.

Here is the documentation on this :ESM: Manage Tab 

 

As of 10.6.2.2 this monitoring is in beta and in environments where there is a lot of activity it can cause the Netwitness UI to have performance and database issues. If you decide to try it please use it with caution as it can cause the ESM mongo database to grow very large, very quickly. If you have issues you will need to contact RSA Netwitness Support to help clear out the database. I bring this up so that you can look over the feature and see if this is what you are looking for. If so then I would look to this feature in upcoming releases.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
ArthurCostigan1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2017-04-04 09:42 AM

Hi Billy

 

This article will show you how to track the the log count and last received time for each event source and forwarder that reports to it.  I have not accessed these stats via REST but you can see if they become visible via REST by logging into port 50102 on the LogDecoder after making these changes.

 

https://community.rsa.com/docs/DOC-43391 

 

Hope this helps.

 

Thanks.

 

Art

 

0 Likes

Go to solution
BillyMiller
Beginner
Beginner

‎2017-04-04 11:37 AM

Unfortunately, it does not appear that the log stats are exposed to the REST API.

0 Likes

Go to solution
JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-04-04 05:24 PM

Health & Wellness should be able to provide visibility into if you are receiving logs or not. Alerts can be setup to let you know when you are no longer seeing logs from a specific event source. You can see it when going to Administration -> Event Sources.

Here is the documentation on this :ESM: Manage Tab 

 

As of 10.6.2.2 this monitoring is in beta and in environments where there is a lot of activity it can cause the Netwitness UI to have performance and database issues. If you decide to try it please use it with caution as it can cause the ESM mongo database to grow very large, very quickly. If you have issues you will need to contact RSA Netwitness Support to help clear out the database. I bring this up so that you can look over the feature and see if this is what you are looking for. If so then I would look to this feature in upcoming releases.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.