Article Number
000003181
Applies To
Netwitness Product Set: NetWitness Platform
Netwitness Product/Service Type: Log Collector, Remote Collector, Decoder, Concentrator, Broker, Hybrid
Netwitness Version/Condition: 11.x 12.x
O/S Version : Centos/Alma
Netwitness Product/Service Type: Log Collector, Remote Collector, Decoder, Concentrator, Broker, Hybrid
Netwitness Version/Condition: 11.x 12.x
O/S Version : Centos/Alma
Issue
How can I track NetWitness UI user activity?
Resolution
How to track the activity of NetWitness users?
Image description
Below is a sample of a downloaded audit logs specific to the user account "AnalystSocUser" on a concentrator for the previous 2 days:
The full text of every query is recorded in the audit trail. Although audit logs do not record query results you can copy the query out of the audit logs and run it in the Investigate page to verify the query results:![]()
How much log data can be stored and is it overwritten over time?
- You can track user activity using the audit log messages.
- Audit log messages can be downloaded from Admin -> Services -> Select one of the Core Services e.g: LogDecoder, Concentrator, Broker, Archiver, etc. -> Actions (click on the gear) -> View -> Logs.
- You can download the log messages file by selecting Historical Tab, specify a date and click Search, then press Export:
Image descriptionBelow is a sample of a downloaded audit logs specific to the user account "AnalystSocUser" on a concentrator for the previous 2 days:
"2024-03-18T12:00:48" "AUDIT" "Engine" "User AnalystSocUser (session 264515, 192.168.40.101:53088) has logged in"
"2024-03-18T12:07:48" "AUDIT" "SDK-Info" "User AnalystSocUser (session 264515, 192.168.40.101:53088) has requested the SDK summary info: flags=0"
"2024-03-18T12:08:31" "AUDIT" "SDK-Values" "User AnalystSocUser (session 272023, 192.168.40.101:36448) has issued values (channel 272357) (thread 30823) (priority: 0): fieldName=cert.ca id1=1 id2=362881482 threshold=100000 size=20 flags=sessions,sort-total,order-descending where=""(device.type = 'windows' && ip.addr = 192.168.255.222 && category = 'Logon') && time=\""2024-03-16 12:05:00\""-\""2024-03-18 12:05:59\"""""
"2024-03-18T12:08:49" "AUDIT" "SDK-Values" "User AnalystSocUser (session 272023, 192.168.40.101:36448) has finished values (channel 272032, queued 00:00:00, execute 00:00:02): fieldName=ec.outcome id1=1 id2=362881482 threshold=100000 size=20 flags=sessions,sort-total,order-descending where=""(device.type = 'windows' && ip.addr = 192.168.255.222 && category = 'Logon') && time=\""2024-03-16 12:05:00\""-\""2024-03-18 12:05:59\"""""
"2024-03-18T12:09:34" "AUDIT" "Engine" "User AnalystSocUser (session 264436, 192.168.40.101:53088) has logged out"The full text of every query is recorded in the audit trail. Although audit logs do not record query results you can copy the query out of the audit logs and run it in the Investigate page to verify the query results:
How much log data can be stored and is it overwritten over time?
- The log database is configured to store 1 GB of log messages. Once that is exceeded, the newest logs overwrite the oldest logs.
- In most cases, 1 GB is sufficient for many months of log messages. However, it can be adjusted under Admin -> Services -> Select One of the Core Services e.g: LogDecoder, Concentrator, Broker, Archiver,etc. -> Actions (click on the gear) -> View -> Explore. Under the Explore page click on the /logs/config and change log.dir value after the equal sign. Make sure there is enough disk space available for the size adjustment.
In this article
