2017-04-03 12:47 PM
Is it possible to use the REST API to monitor if a server stops sending logs? For instance, we have a list of, say 100, critical servers. We would like to check on a 20 minute basis and make sure these servers have sent logs via the REST API. Is this possible?
2017-04-04 05:24 PM
Health & Wellness should be able to provide visibility into if you are receiving logs or not. Alerts can be setup to let you know when you are no longer seeing logs from a specific event source. You can see it when going to Administration -> Event Sources.
Here is the documentation on this :ESM: Manage Tab
As of 10.6.2.2 this monitoring is in beta and in environments where there is a lot of activity it can cause the Netwitness UI to have performance and database issues. If you decide to try it please use it with caution as it can cause the ESM mongo database to grow very large, very quickly. If you have issues you will need to contact RSA Netwitness Support to help clear out the database. I bring this up so that you can look over the feature and see if this is what you are looking for. If so then I would look to this feature in upcoming releases.
2017-04-04 09:42 AM
Hi Billy
This article will show you how to track the the log count and last received time for each event source and forwarder that reports to it. I have not accessed these stats via REST but you can see if they become visible via REST by logging into port 50102 on the LogDecoder after making these changes.
https://community.rsa.com/docs/DOC-43391
Hope this helps.
Thanks.
Art
2017-04-04 11:37 AM
Unfortunately, it does not appear that the log stats are exposed to the REST API.
2017-04-04 05:24 PM
Health & Wellness should be able to provide visibility into if you are receiving logs or not. Alerts can be setup to let you know when you are no longer seeing logs from a specific event source. You can see it when going to Administration -> Event Sources.
Here is the documentation on this :ESM: Manage Tab
As of 10.6.2.2 this monitoring is in beta and in environments where there is a lot of activity it can cause the Netwitness UI to have performance and database issues. If you decide to try it please use it with caution as it can cause the ESM mongo database to grow very large, very quickly. If you have issues you will need to contact RSA Netwitness Support to help clear out the database. I bring this up so that you can look over the feature and see if this is what you are looking for. If so then I would look to this feature in upcoming releases.