This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Using REST API to pull events from concentrator

JohnBabio
Beginner
Beginner

‎2018-05-25 02:51 PM

I am trying to user curl to pull data from our concentrator. it doesn't seem to want to work with curl. I am also not sure if i have the proper syntax. It works fine by manually going to the site at http://x.x.x.x:50105/sdk/packets the query i am trying to run is event.desc = 'ids_alerted' && time="2018-May-24 0:00"-"2018-May-24 23:20" and again it works fine using the manual page.

curl --user 'username:password'

'https://x.x.x.x:50105/sdk?packets?render=logs%event.desc+%3D+%27ids_alerted%27+%26%26+time%3D%272018-May-24+0%3A00%27-%272018-May-24+23%3A20%27' -k

6 REPLIES 6

EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)

‎2018-05-26 12:34 AM

John Babio‌,

 

I've moved your question to the RSA NetWitness Platform" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.

 

Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA NetWitness Platform" data-type="space and click Ask A Question.  That way your question will appear in the correct space.

Regards,

Erica

0 Likes

DerekWilson
Beginner
Beginner

‎2018-05-28 04:09 PM

You need to add --tlsv1.2 to your command for it to work.

0 Likes

JohnBabio
Beginner
Beginner
In response to DerekWilson

‎2018-05-28 04:29 PM

Tried that but still nothing

0 Likes

ThomasFedorchuk
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2018-05-29 10:37 AM

Hi,

 

Try using the curl command below. It is modified to pull events for the entire day of May 24.

Please substitute your username/password and concentrator ipaddr.

# curl -u username:password "http://xxx.xxx.xxx.xxx:50105/sdk/packets?&render=logs&event.desc='ids_alerted'&time1=2018-May-07%2000:00:00&time2=2018-May-24%2023:59:59"

0 Likes

JohnBabio
Beginner
Beginner

‎2018-05-29 01:37 PM

this works but it ignores what I am looking for as far as the event desc. It only concentrates on the time structure and gives me all logs between that time frame.

0 Likes

GuyBruneau
Frequent Contributor
Frequent Contributor

‎2018-05-29 02:32 PM

John,

 

If you are looking to pull meta, maybe this might work for you. https://community.rsa.com/message/897773

#meta #csv

 

Guy#

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.