NetWitness Community

Hi Pavan,

As Sean mentioned, Logdecoder is the data source for Archiver. Also, Archiver is data source to Reporting.

RSA recommends DAC for additional storage for Netwitness appliances. Run nwraidutil.pl command in putty console. If Adapter 1 has physical disks, then it must have additional storage. Some customers prefer adding SAN instead DAC.

In case if you need, the documents in https://community.rsa.com/community/products/netwitness/hardware-setup-guides help for initial Hardware Setup and installation procedure for each appliance.

Hi Pawan,

First of all you should know the traffic flow In SIEM language we will say “Log Traversal”:

A simple example will be:

VLC > Log Decoder/Decoder > Log Concentrator/ Concentrator > Broker

Secondly customer would like to complete POST & Burn-In test before actually starting deployment, Do we have these things documented somewhere? Do we use any external tools to do so?

1. VLC – It collects the data and sends to LogDecoder
2. Decoder – The Decoder captures, parses, and reconstructs all network traffic from Layers 2 - 7, or log and event data from hundreds of devices. “According to the parcers you have enabled on your decoder.”
3. Concentrator: Concentrators index metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting.
4. Broker: is an appliance and a service in the Security Analytics network. Brokers aggregate data captured by configured Concentrators, and Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder/Concentrator pairs throughout the infrastructure. “Basically you will use it when you have multiple concentrator”
5. Archiver: is an appliance that enables long-term log archiving by indexing and compressing log data and sending it to archiving storage

“We have pair of VLC/Decoder/Concentrator/Archiver for one of the customer site, So actually which device will be interacting with #Archiver?”

1. Go to VLC >config and add a decoder in local decoder option.
2. Now go to concentrator and add the same site decoder to the same site Concentrator “Make sure in concentrator It is showing the status as consuming ”
3. Now go to ESA and all your similar site  concentrator as a data source.
4. Now go to Archiver and add your decoders.
5. Now you can get a cup of coffee and enjoy!

Archiver will only takes input only from Decoders: Just go to Archiver config and attach your Decoder whith archiver, it will keep all Mata data as an archive for long term and if you need it later.

https://community.rsa.com/docs/DOC-45706 --follow this for Archiver backing up options.

 And which all would be with #SAN? What I believe is you should attach a extra Storage with

Your Concentrator Decoder and of course with Archiver, but it will depend upon you that how long you want to keep your logs according to your Log retention policy. And my suggestion  is that you should contact to support and ask them that what main partitions in decoder and concentrator are those I should have a big storage,

As I have session index and packetdb has most of the storage allotted on decoder

And Meta Index and Session on Concentrator,

you have to calculate the partition size for log retentions.

    For this my only suggestion is that you should start capturing logs one by one, like first start windows collection than start syslog, than any firewall logs, Same time monitor EPS rate otherwise you will soon crash your devices, due to flood of logs. I hope you have already integrated all event sources those will send logs to you SIEM, if not you still have long run to go. Because only after that your POST & burn in test which will be a bench marking test will be possible.

Keep monitoring the EPS Rate, any continue learning.