Creating and Managing an Identity Feed

You can easily create an Identity feed and populate it to selected Decoders and Log Decoders. After completing this procedure, you will have created an Identity feed.

To create an identity feed:

  1. Add a destination for the feed.
    1. Go to netwitness_adminicon_25x22.png (Admin) > Services and in the Services.
    2. In the list of services, select a Log Collector service, and select netwitness_ic-actns.png View > Config.
    3. Select the Event Destinations tab.
    4. In the Select Event Destinations field, select Identity Feed.

      netwitness_identityfeed_destination.png

    5. Click netwitness_ic-add.png and enter a unique name for the feed.

      The Queue name identifies the feed within the Log Collector. Use the name of the feed for the Queue.

      netwitness_identityfeed_queue.png

    6. Click OK.
  2. Test generation of messages.

    1. Have users log into Windows boxes on the domain to generate the appropriate log messages on the domain controllers for testing.
    2. Verify that data is written to the feed files. SSH to the Log Decoder/Collector or Virtual Log Collector being configured. Navigate to /var/netwitness/logcollector/runtime/identity-feed and verify that the Identity_deploy files are getting populated with data.

      netwitness_identityfeed_winbox.png

    3. Open up a web browser (Non-Internet Explorer browsers preferred) and log in to the REST interface of the Log Collector. Use administrative credentials when logging in. For example, if the IP address of your Log Collector is 192.168.99.66, the URL would be:

      The browser screen should look like this:

      netwitness_identityfeed_rest01.png

      The screen contains the name of the identity feed you created earlier (infonetd_domain, in this example).

      For the identity feed to function correctly, port 50101 must be active on the Log Collector, and you must determine whether SSL encryption is active.

    4. Go to netwitness_adminicon_25x22.png (Admin) > Services > <Log Collector being setup> netwitness_ic-actns.png > View > Explore.
    5. In the left pane, expand rest > config.

      netwitness_identityfeed_rest02.png

      For REST to be active, enabled must be set to 1.

    6. Note the value for ssl. If SSL should be enabled for your environment, this must be set to on.

      Note: If you changed the setting for either the enabled or ssl option you must restart the Log Collector service before moving forward.

  3. Go to netwitness_configureicon_24x21.png (Configure) > Custom Feeds.

    The Feeds dialog is displayed.

    122_CustomFeeds_1122.png

  4. In the toolbar, click netwitness_add.png.

    The Setup Feed dialog is displayed.

    netwitness_setup_identfeed.png

  5. Make sure Identity Feed is selected and click Next.

    The Configure Identity Feed panel opens with the Define Feed tab displayed.

  6. (Conditional) You can create an on-demand or recurring feed.

    • To define an on-demand Identity feed task that executes once, select Adhoc in the Feed Task Type field, type the feed Name, and browse for and open the feed.
    • To define a recurring Identity Feed task that executes on a recurring basis, select Recurring in the Feed Task Type field.

      The Define Feed dialog includes the fields for a recurring feed.

      netwitness_idfeed_recur.png

      Note: RSA NetWitness verifies the location where the file is stored, so that NetWitness can check for the latest file automatically before each recurrence.

  7. Enter a value and verify the URL field.

    1. In the URL field, enter the URL where the feed data file is located. This is the REST API interface that was setup earlier. Make sure you have the following information to construct the URL:

      • The IP address of the Log Collector being used to construct the Identity Feed file.
      • The identity queue name, as set in step 2c.
      • Whether or not SSL is enabled on the Log Collector REST port, as set in step 2f.

      You can construct this value as follows:

      • SSL enabled: https://<LogCollector>:50101/event-processors/<ID Event processor name>?msg=getFile&force-content-type=application/octet-stream&expiry=600
      • SSL not enabled: http://<LogCollector>:50101/event-processors/<ID Event processor name>?msg=getFile&force-content-type=application/octet-stream&expiry=600

      So, using the example from earlier, the complete value that you would enter into this field is as follows:

      http://192.168.99.66:50101/event-processors/infonetd_domain?msg=getFile&force-content-type=application/octet-stream&expiry=600?msg=getFile&force-content-type=application/octet-stream&expiry=600

    2. For the URL verification to work correctly, it is important that the NetWitness UI server can access the Log Collector’s REST API port (50101). This can be tested by going to the NetWitness UI server via SSH. Once there, run the following command:

      • SSL enabled: curl -vk https://<ip of log collector>:50101
      • SSL not enabled: curl -v http://<ip of log collector>:50101

      If the curl command does not connect then there may be a network firewall or routing issue between the NetWitness UI server and the Log Collector.

      Example of a bad connection:

      * About to connect() to 192.168.99.66 port 50105 (#0)
      * Trying 192.168.99.66... No route to host
      * couldn't connect to host
      * Closing connection #0
      curl: (7) couldn't connect to host

      Example of a good connection:

      * About to connect() to 192.168.99.66 port 50105 (#0)
      * Trying 192.168.99.66... connected
      * Connected to 192.168.99.66 (192.168.99.66) port 50105 (#0)
      > GET / HTTP/1.1
      > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
      > Host: 192.168.99.66:50105
      > Accept: */*
      >

      < HTTP/1.1 401 Unauthorized
      < Content-Length: 71
      < Connection: Keep-Alive
      < Pragma: no-cache
      < Expires: -1
      < Cache-Control: no-cache, no-store, must-revalidate
      < WWW-Authenticate: Basic realm="NetWitness"
      < Content-Type: text/xml; charset=utf-8
      <

      <?xml version="1.0" encoding="utf-8"?>
      <error>401 Unauthorized</error>
      * Connection #0 to host 192.168.99.66 left intact
      * Closing connection #0

  8. The REST API requires a username and password when attempting to pull the identity_deploy.csv file from the Log Collector. This can be any username and password that is available on the service itself. For more information, see the "Services Security View" topic in the Hosts and Services Guide.

    To see which accounts are available, go to netwitness_adminicon_25x22.png (Admin) > Services > <log collector being setup> > Actions > View > Security.

    Under the Users table, you see all the users that can be used in this step. It is suggested that a separate user account is created specifically for this setup, and is used nowhere else in the environment, for added security. For details, see "Add a User and Assign a Role" in the System Security and User Management Guide. (Go to the NetWitness Documents - All Versions to find all RSA NetWitness Platform 11.x documents.)

  9. To define the recurrence interval, do one of the following:

    • Specify the number of minutes, hours, or days between recurrences of the feed.
    • Enter the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time.
  10. If using SSL encryption, you need to install the REST API SSL certificate for the Log Collector into the NetWitness UI server. For more information, see Import the SSL Certificate.

    If, after importing the SSL certificate, the verification of the URL still fails, see Cannot Verify Identity Feed URL.

  11. Click Verify to verify your identity feed configuration before you proceed to the Select Services dialog.
  12. Click Next.

    The Select Services dialog is displayed.

    netwitness_104cifselectservices_600x302.png

  13. To identify services on which to deploy the feed, select one or more Decoders and Log Decoders and click Next.
  14. Click the Groups tab, select a group, and click Next.

    The Review dialog is displayed.

    netwitness_104cifreview_600x367.png

    Note: If a group of devices with Decoders and Log Decoders is used to create recurring or custom feeds and this group is deleted, you can edit the feed and add a new group to the feed.

  15. Anytime before you click Finish, you can:

    • Click Cancel to close the wizard without saving your feed definition.
    • Click Reset to clear the data in the wizard.
    • Click Next to display the next form (if not viewing the last form).
    • Click Prev to display the previous form (if not viewing the first form).
  16. Review the feed information, and if correct, click Finish.

Upon successful creation of the feed definition file, the Create Feed wizard closes, and the feed and corresponding token file are listed in the Feed grid and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.

122_CustFdAdded_1122.png

Import the SSL Certificate

If SSL is configured on the Identity feed’s Log Collector, follow these steps to import the Log Collector’s SSL certificate into the NetWitness UI server key store. If this certificate is not imported, the NetWitness UI server will be unable to pull the Identify feed file from the Log Collector.

  1. To pull the SSL certificate off the Log Collector, SSH into the NetWitness UI server and run the following command:

    echo -n | openssl s_client -connect <HOST>:<PORT> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/<SERVERNAME>.cert

    This command saves the SSL certificate to /tmp/<SERVERNAME>.cert. For example:

    echo -n | openssl s_client -connect 192.168.99.66:50101 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/logcollector.cert

  2. To import the SSL certificate into the NetWitness UI server, SSH into the UI server and run the following command:

    keytool -importcert -alias <name an alias for the cert> -file <the cert file pathname> -keystore /etc/pki/java/cacerts

    For example:

    keytool -importcert -alias logcollector01 -file /tmp/logcollector.cert -keystore /etc/pki/java/cacerts

  3. The system requests a password. Enter the password for the keystore on the NetWitness UI server, not for the jetty keystore. The default password is changeit.
  4. Restart jettysrv to allow jetty to read the new certificate in the store.

Cannot Verify Identity Feed URL

If the Identity feed URL cannot be verified, and you are using SSL, make sure you followed the steps in Import the SSL Certificate.

If there are issues, it is possible that the internal name of the certificate does not match the hostname of the Log Collector. The following procedure checks this.

  1. SSH to the NetWitness UI server.
  2. Run the following command to output the CN name of the SSL cert:

    echo -n | openssl s_client -connect <log decoder>:50101 | sed -ne '/BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

    For example:

    echo -n | openssl s_client -connect salogdecoder01:50101 | sed -ne '/BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

  3. Retrieve the CN name of the SSL certificate.

    netwitness_identityfeed_cn01.png

  4. Edit the /etc/hosts file and add the IP address and CN name to the file.

    netwitness_identityfeed_cn02.png

  5. Restart the network service on the appliance.
  6. Confirm that the name placed in the /etc/hosts file is used instead of the FQDN or IP address in the Identity feed URL.
  7. Re-verify the Identity feed URL.

Investigating an Identity Feed

An identity feed tracks interactive log on events from the Windows operating system. Identity feeds do not track interactive log off events.

In order for an identity feed to process events and tag them, the events need to be collected using a Windows Log Collection module where an Active Domain Controller or non-Domain Controller is configured. Note that identity feeds can only be processed via an Identity Feed Event Processor.

Note: An identity feed only tracks one log in at a time. If two users log in to a system at the same time, the second user will overwrite the first user's data in the identity feed.

Once you have created an identity feed, you can view the results by investigating the feed.​

To investigate a configured identity feed:

  1. Go to INVESTIGATE > Navigate.

    If no default service is selected, the Investigate dialog is displayed.

    netwitness_identfeed_investigate.png

  2. Select a service, usually a Concentrator, and click Navigate.
  3. Select Load Values to retrieve meta data.

In the Values panel, scroll down to find the Meta Keys:

identFeed_metakeys.PNG

The identity feed provides information to selected Decoders and Log Decoders. It associates the Host IP data from the Windows operating system to the user logging into that Host in order to tag all logs associated with that IP and investigate.