This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Knowledge Base
- NetWitness SA Server configuration to be NTP server for other hosts
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
NetWitness SA Server configuration to be NTP server for other hosts
Article Number
000003184
Applies To
NetWitness Product Set: NetWitness Platform
NetWitnessService Type: Node-Zero (Admin Server), Node-X
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS
O/S Version: EL7
NetWitnessService Type: Node-Zero (Admin Server), Node-X
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS
O/S Version: EL7
Issue
Best practices suggest that the SA Server should be configured to act as NTP server for all other hosts within a Security Analytics environment.
This ensures that hosts within a site are in sync time-wise
This ensures that hosts within a site are in sync time-wise
Resolution
On the SA Server:
- Make sure you have the following Firewall rule:
-A INPUT -p udp -m udp -m multiport --dports 123 -m comment --comment "ntp" -m conntrack --ctstate NEW -j ACCEPT- This can be checked by running the following command on SA Admin Server CLI:
#iptables -L --line-numbers | grep -i ntp- If it is not added by default, please follow these steps to add the NTP firewall rules:
- SSH into the SA Server
- Backup the existing iptables configuration
#cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M")- Add an NTP entry for the INPUT chain:
A) Iptables: To list out the rules with line numbers:
#iptables -L --line-numbers B) Save the current iptables configuration:
Note: In my example I am adding them before line 23, which is my final Input Chain DROP, so line 22
#service iptables save
#iptables -L --line-numbers | grep DROP
Chain INPUT (policy DROP)
23 DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
1 DROP all -- anywhere anywhere Note: In my example I am adding them before line 23, which is my final Input Chain DROP, so line 22
iptables -I INPUT 22 -p udp -m state --state NEW -m udp --dport 123 -j ACCEPTE) Add the new iptables logic to allow for output NTP Traffic.
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT- Save & Restart iptables if modified:
A) Save iptables:
#service iptables save
B) Restart iptables
#service iptables restart
C) Verify the changes:
#iptables -L --line-numbers | grep -i ntp
22 ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
2 ACCEPT udp -- anywhere anywhere udp spt:ntp
- To verify NTP setting on all hosts:
Run this command from SA Admin Server CLI:
salt '*' cmd.run 'hostname; cat /etc/ntp.conf | grep -i upstream -a2 | tail -n2'
b3fd7da3-83e6-44cd-aa33-bc98c05af753:
NW11-ESAPRIMARY
server nw-node-zero iburst maxpoll 10
6c1ffd76-a79c-4b7e-866a-43d1474f083c:
NW11-EP-BROKER
server nw-node-zero iburst maxpoll 10
7923c28f-225a-46ba-972c-ce3925b0b061:
NEW-N11-ENDPOINT
server nw-node-zero iburst maxpoll 10
fa65b8d0-66b0-4373-93c1-661c822f1b69:
NW11-DEDICATED-BROKER
server nw-node-zero iburst maxpoll 10
06a69dd3-6faa-44a8-9d4c-104532436909:
NW12-ARCHIVER
server nw-node-zero iburst maxpoll 10- To verify that all host are synced with SA admin Server:
Run this command from SA Admin Server CLI:
salt '*' cmd.run 'ntpstat'- You can run this command on any host to sync it in time with SA admin Server:
- SSH to NetWitness host.
- Run the following commands:
#systemctl stop ntpd
#ntpdate nw-node-zero
#systemctl start ntpd
No ratings
