Hosts and Services Maintenance Procedures

Every service requires a host. After you set up a host, you can assign services to and from this host to other hosts in your NetWitness deployment.

netwitness_hstsrvconfigwf.png

High-Level Task Description
Maintain a Host - Basics

The following maintenance tasks are shown in alphabetical order.

Maintain a Host from the Host Task List Dialog

You use the Host Task List dialog to manage tasks that relate to a host and its communications with the network. Several service and host configuration options are available for Core hosts.

Maintain a Service

The following procedures describe how to maintain services.

Apply Version Upgrades to a Host

Upgrade guides are available for all supported versions of NetWitness. Refer to the upgrade guide for the latest version in the Install and Upgrade section of the NetWitness documentation page on NetWitness Link.

Pre-Stage Host Pre-Stage Host

Note: The Pre Stage Host option is enabled for upgrade on the Admin Server. This option will be available after you upgrade to 11.7.1 and can be used to upgrade to versions later than 11.7.1.

    1. Go to netwitness_pre-stageadmin_29x23.png > Hosts.

    2. Click Update > Check for Updates.
      All possible update versions will displayed in the Versions drop-down list.

    3. Click Update > Pre Stage Host and select the version in the update version column.
      A confirmation message for downloading the files is displayed.

122_Pre-stagehost1_1222.png

    1. Click Yes to download the upgrade packages to the repo.

    2. Verify the status of the download in the notifications tray as shown below.
      The Pre Stage Host and Upgrade Host will be disabled until pre stage is completed.

      122_Pre-stage Notification_1222.png

      Note: The current version and the update version in the UI will be the same during the pre stage as it is not the actual update. This is because only the repo files are downloaded and no actual upgrade is done. The version will change only after upgrade.

    3. If the download is successful, Check for Updates again to start the initialization.

    4. Click on Initialize Update.
      The initialization of the package will take some time as the files are large and will need to be unzipped.

netwitness_pre-stageinitialization_253x120.jpg

IMPORTANT: Pre Stage Repo preparation steps from 1 to 4 can be performed at any time. However, from steps 5 to 8 the upgrade process begins and you must NOT reboot the host or restart the jetty server during this time as it will corrupt the .ZIP files.

  1. Check the status of initialization in the notifications tray.

  2. After the initialization is completed successfully, click Update > Update Host.
    After the host is updated, you will be prompted to reboot the host.

    netwitness_pre-stagefinal_656x104.png

  3. Set up the host and reboot the host.

Create and Manage Host Groups

The Hosts view provides options for creating and managing groups of hosts. The Groups panel toolbar includes options for creating, editing, and deleting host groups. Once groups are created, you can drag individual hosts from the Hosts panel into a group.

Groups may reflect functional, geographical, project-oriented, or any other organization principle that is useful. A host may belong to more than one group. Here are some examples of possible groupings:

  • Group different categories to make it easier to configure and monitor all Brokers, Network Decoders, or Concentrators.
  • Group hosts that are part of the same data flow; for example, a Broker, and all associated Concentrators and Network Decoders.
  • Group hosts according to their geographic region and location within the region. If a major power outage occurs in a location, potentially affected hosts are easily identifiable.

Create a Group

  1. Select netwitness_adminicon_25x22.png (Admin) > Hosts.
    The Hosts view is displayed.
  2. In the Groups panel toolbar, click netwitness_add_17x17.png.
    A field for the new group opens with a blinking cursor.
    netwitness_addgrpfield.png
  3. Type the name of the new group in the field (for example, Geo 1) and press Enter.
    The group is created as a folder in the tree. The number next to the group indicates the number of hosts in that group.
    netwitness_anewhstgrp.png

Change the Name of a Group

  1. In the Hosts view Groups panel, double-click the group name, or select the group and click netwitness_edit.png.
    The name field opens with a blinking cursor.
  2. Type the new name of the group and press Enter.
    The name field closes and the new group name is displayed in the tree.

Add a Host to a Group

In the Hosts view Hosts panel, select a host and drag the host to a group folder in the Groups panel.
The host is added to the group.

View the Hosts in a Group

To view the hosts in a group, click the group in the Groups panel.
The Hosts panel lists the hosts in that group.

Remove a Host from a Group

  1. In the Hosts view Groups panel, select the group that contains the host that you want to remove.
    The hosts in that group appear in the Hosts panel.
  2. In the Hosts panel, select one or more hosts that you want to remove from the group, and in the toolbar, select netwitness_delete.png > Remove from Group.
    The selected hosts are removed from the group, but are not removed from the NetWitness user interface. The number of hosts in the group, which is listed near the group name, decreases by the number of hosts removed from the group. The All group contains the hosts that were removed from the group.
    In the following example, the host group called Geo 1 does not contain any hosts, because all the hosts in that group are removed.
    netwitness_hstremfrgrp.png

Delete a Group

  1. In the Hosts view Groups panel, select the group that you want to delete.
  2. Click netwitness_delete.png.
    The selected group is removed from the Groups panel. The hosts that were in the group are not removed from the NetWitness user interface. The All group contains the hosts from the deleted group.

Search for Hosts

You can search for hosts from a list of hosts in the Hosts view. The Hosts view enables you quickly filter the list of hosts by Name and Host. It is possible to have numerous NetWitness hosts in use for various purposes. Instead of scrolling through the host list, you can quickly filter the host list to locate the hosts that you want to administer.

In the Services view, you can search for a service and quickly find the host that runs that service.

Search for a Host

  1. Select netwitness_adminicon_25x22.png (Admin) > Hosts.
  2. In the Hosts panel toolbar, type a host Name or Hostname in the Filter field.
    netwitness_filter.png
    The Hosts panel lists the hosts that match the names entered in the Filter field.

Find the Host that Runs a Service

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select a service. The associated host is listed in the Host column for that service.
  3. To administer the host in the Hosts view, click the link in the Host column for that service.
    The host associated with the selected service is displayed in the Hosts view.
    122_SelectedHst1_1222.png

Execute a Task From the Host Task List

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View > System.

    Note: The Admin, Config, Orchestration, Security, Investigate, and Respond services do have access to the System view. They only have access to the Explore view.

    The System view for the service is displayed below.

    122_SysVwBrkr1_1222.png

  3. In the Services System view toolbar, click netwitness_hosttasks.png.
    netwitness_hosttasklist.png
  4. In the Host Task List dialog, click in the Task field to display a drop-down list of tasks that run on a host.
    netwitness_hosttasklist2.png
  5. Select a task (for example, click Stop Service).
    The task is displayed in the Task field. Task description, example arguments, security roles, and parameters are displayed in the Info area.
    netwitness_stopsrv.png
  6. Type arguments if necessary and click Run.
    The command executes and the result is displayed in the Output section.

Add and Delete a Filesystem Monitor

When you want a service to monitor traffic on a specific file system, you can select the service and then specify the path. NetWitness Platform adds a filesystem monitor. Once a file system monitor is added to a service, the service continues to monitor traffic on that path until the file system monitor is deleted.

Configure the Filesystem Monitor

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Add Filesystem Monitor.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. To identify the file system to monitor, type the path in the Arguments field. For example:
    path=/var/netwitness/decoder/packetdb
    netwitness_addflsysmntr.png
  6. Click Run.
    The result is displayed in the Output area. The service begins to monitor the file system and continues to monitor it until you delete the filesystem monitor.

Delete a Filesystem Monitor

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Delete Filesystem Monitor.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. To identify the filesystem to stop monitoring, type the path in the Arguments field. For example:
    path=/var/netwitness/decoder/packetdb
    netwitness_delflsysmntr.png
  6. Click Run.
    The result is displayed in the Output area. The service stops monitoring the file system.

Reboot a Host

Under certain conditions, you must reboot a host; for example, after installing a software upgrade. This procedure uses a Host Task List message to shut down and restart a host.

The NetWitness Platform also offers other options for shutting down a host:

Shut Down and Restart a Host from the Hosts View

  1. Select netwitness_adminicon_25x22.png (Admin) > Hosts.
  2. In the Hosts panel, select a host.
  3. Select netwitness_ic-reboothst_94x23.png from the toolbar.

Shut Down and Restart a Host from the Host Task List

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services panel, select a service and click netwitness_actiondd.png > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Reboot Host in the Task field.
    No arguments are required.
    netwitness_rebthost_498x342.png
  5. Click Run.
    The host is rebooted and the result is displayed in the Output area.

Set Host Built-In Clock

After a shutdown or battery failure, it may be necessary to set the local clock on a host. The Set Host Built-In Clock task resets the clock time.

Set the Time on the Local Clock

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and netwitness_actiondd.png > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Host Built-In Clock.
    Help for the task is displayed in the Info area.
  5. Enter the date and time arguments in the Arguments field.
    For example, to specify October 31, 2017 at 11:59:59 PM, type:
    set=20171031T235959
    netwitness_sethstclk.png
  6. Click Run.
    The clock is set to the specified time and a message is displayed in the Output area.

Set Network Time Source

When setting the clock source for a host, set the hostname or address of an Network Time Protocol (NTP) server to be the network clock source for the host. If the host is using a local clock source, you must specify local here to allow Set the Local Clock Source to be effective.

Specify the Network Clock Source

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Network Time Source.
    netwitness_setnettime.png
  5. Do one of the following:
  • Type the hostname or address of the NTP server to serve as the clock source for this host; for example: source=tictoc.localdomain
  • If you want to use the host clock as a clock source, type:
    source=local
  1. Click Run.
    The clock source is set and a message is displayed in the Output area.

Note: If you specified a NTP clock source of local, the host clock serves as the clock source and the time is configured using Set Host Built-In Clock.

Set SNMP

The Set SNMP task in the Host Task List enables or disables the SNMP service on a host. For a host to receive SNMP notifications, enable the SNMP service. If you are not using SNMP for NetWitness notifications, it is not necessary to enable the service.

Toggle SNMP Service on the Host

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select setSNMP.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. Do one of the following:
  • If you want to disable the service, type enable=0 in the Arguments field.
    netwitness_setsnmp1.png
  • If you want to enable the service, type enable=1 in the Arguments field.
    netwitness_setsnmp2.png
  1. Click Run.
    The result is displayed in the Output area.

Set Syslog Forwarding

You can configure Syslog forwarding to forward the operating system logs of your NetWitness Hosts to a remote syslog server. You can use the Set Syslog Forwarding task in the Host Task List to enable or disable syslog forwarding.

Set Up and Start Syslog Forwarding

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View > System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Set Syslog Forwarding.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
    netwitness_setsyslogf.png
  5. In the Arguments field, do any one of the following.
    • To enable syslog forwarding, specify any one of the following formats:

      host=<loghost>.<localdomain> (for example, host=syslogserver.local).

      host=<loghost>.<localdomain>:<port> (for example, host=syslogserver.local:514).

      host=<IP> (for example, host=10.31.244.244).

      host=<IP>:<port> (for example, host=10.31.244.244:514).

      The following table lists the parameters used to enable syslog forwarding.

      Parameter Description
      loghost The host name of the remote syslog server.
      localdomain The domain of the remote syslog server.
      port IP address of the remote syslog server.
      IP The port number on which the remote syslog server receives a syslog messages.
    • To disable syslog forwarding, type host=disable.
  6. Click Run.
    The result is displayed in the Output area.

Once syslog forwarding is enabled or disabled, the /etc/rsyslog.conf file is updated automatically to enable or disable syslog forwarding to the remote syslog destination and the syslog service is restarted.

​If you enable syslog forwarding, the logs from the configured service are forwarded to the defined syslog server and continues forwarding until disabled.

Note: You can now log in to the remote syslog server and verify if the messages are being received from the NetWitness services configured for syslog forwarding.

Show Network Port Status

The Show Network Port Status task in the Host Task List gives you the status of all configured ports on the host.

Display the Network Port Status

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and netwitness_actiondd.png > View> System.
    The System view for the selected service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, click Show Network Port Status.
    The task is displayed in the Task field, and information about the task is displayed in the Info area.
  5. No arguments are required for this task. Click Run.
    The status for each port on the host is displayed in the Output area.
    netwitness_showport.png

Show Serial Number

The Show Serial Number task in the Host Task List displays the serial number of a host.

Show the Serial Number

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Show Serial Number.
    In the Info area, a brief explanation of the task and the task arguments is displayed.
  5. No arguments are required for this task. Click Run.
    The serial number of the selected host is displayed in the Output area.
    netwitness_showsn.png

Shut Down Host

Under certain circumstances (for example, a hardware upgrade or an extended power outage that exceeds backup power capacity), it may be necessary to shut down a physical host. When you shut down a host, all services running on the host are stopped and the physical host turns off.

The physical host does not restart automatically. Use the power switch to restart the host. Once the physical host restarts, the host and services are configured to restart automatically.

See Reboot a Host for how to start and stop a host without shutting down the host.

Shut Down the Host

  1. In the Host Task List, select Shut Down Host.
    netwitness_shtdwnhost.png
  2. To execute the task, click Run.
    The host shuts down, and the host turns off.

Stop and Start a Service on a Host

The Host Task List has two options for stopping and starting a service on a host. When you stop a service using the Stop Service message, all processes of the service are stopped and users connecting to the service are disconnected. Unless there is a problem with the service, it restarts automatically. This is the same as the Shutdown Service option in the Services System view.

If a service does not restart automatically after being stopped, you can restart it manually using the Start Service message.

Stop a Service on a Host

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Stop Service.
    The task is displayed in the Task field, and information about the task is displayed in the Info area.
  5. Specify the service (decoder, concentrator, broker, logdecoder, logcollector) to stop in the Arguments field; for example, service=decoder.
    netwitness_stopsrv.png
  6. To execute the task, click Run.
    The service stops and the status is displayed in the Output area. All processes of the service are stopped and users connecting to the service are disconnected. Unless there is a problem with the service, it restarts automatically.

Start a Service on a Host

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service and click netwitness_actiondd.png > View> System.
    The System view for the service is displayed.
  3. In the Services System view toolbar, click Host Tasks.
  4. In the Host Task List, select Start Service.
    The task is displayed in the Task field, and information about the task is displayed in the Info area.
  5. Specify the service (decoder, concentrator, broker, logdecoder, logcollector) to stop in the Arguments field; for example, service=decoder.
    netwitness_startsrv.png
  6. To execute the task, click Run.
    The service starts and the status is displayed on the Output area.

Add, Replicate, or Delete a Service User

You must add a user to a service for:

  • Aggregation
  • Accessing the service with the:
    • Thick client
    • REST API

Note: This topic does not apply to users who access services through the user interface on NetWitness Server. You must add those users to the system, not a service. For details, see the "Set Up a User" in System Security and User Management Guide.

For each service user, you can:

  • Configure user authentication and query handling properties for the service
  • Make the user a member of a role, which has a set of permissions the user receives
  • Replicate the user account to other services
  • Change the service user password on selected services

Change a Service User Password provides instructions for changing the service user password across services.

To navigate to the Services Security view:

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a service, then click netwitness_actiondd.png > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
    122_SrvSecUsrs1_1222.png

Add a Service User

  1. On the Users tab, click netwitness_add.png.
  2. Type the user name to access the service, then press Enter.
    The User Information section displays the user name and the rest of the fields are available for editing.
  3. Type the password for logging on to the service in the Password and Confirm Password fields.
  4. (Optional) Provide additional information:
  • Name for logging on to NetWitness
  • Email address
  • Description of the user
  1. In the User Settings section, select the following information:
  • Authentication Type
    • If NetWitness authenticates the user, select NetWitness.
    • If Active Directory or PAM is configured on NetWitness Server to authenticate the user, select External.
  • Core Query Timeout is the maximum number of minutes a user can run a query on the service. This field applies to NetWitness 10.5 and later service versions and does not appear for 10.4 and earlier versions.
  1. (Optional) Specify additional query criteria:
  • Query Prefix filters queries. Type a prefix to restrict results the user sees.
  • Session Threshold controls how the service scans meta values to determine session counts. Any meta value with a session count that is above the threshold stops its determination of the true session count.
  1. In the Role Membership section, select each role to assign to the user. When a user is a member of a role on a service, the user has the permissions assigned to the role.
  2. To activate the new service user, click Apply.

Replicate a User to Other Services

Note: The admin user cannot be replicated to other services.

  1. ​In the Users tab, select a user and click netwitness_actiondd.png > Replicate.
    The Replicate Users to Other Services dialog is displayed.
    netwitness_replusrdb_400x415.png
  2. Enter and confirm the password.
  3. Select each service to which you are replicating the user.
  4. Click Replicate.

Delete a Service User

  1. On the Users tab, select the Username and click netwitness_delete.png.
    NetWitness requests confirmation that you want to delete the selected user.
  2. To confirm, click Yes.

Add a User Role to a Service

There are pre-configured roles in NetWitness that are installed on the server and on each service. You can also add custom roles. The following table lists the pre-configured user roles and their permissions.

Role Permission
Administrators Full system access
Operators Access to configurations but not to metadata and session content
Analysts Access to metadata and session content but not to configurations
SOC_Managers Same access as Analysts and additional permissions to handle incidents
Malware_Analysts Access to malware events and to metadata and session content
Data_Privacy_Officers Access to metadata and session content and configuration options that manage obfuscation and viewing of sensitive data within the system (see Data Privacy Management Guide).

You must add a service role when you have added a:

  • Service user or users that requires a new set of permissions.
  • Custom role on NetWitness Server because trusted connections require that the same custom role exists both on the server and on each service the custom role will access. The names must be identical. For example, if you add a Junior Analysts role on the server then you must add a Junior Analysts role on each service the role will access. For more information, see "Add a Role and Assign Permissions" in the System Security and User Management Guide.

There is also a pre-configured Aggregation service role. Services Security View - Aggregation Role and Services Security View - Service User Roles and Permissions provide additional information.

To add a service user role and assign permissions to it:

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a service, then netwitness_actiondd.png > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
  3. Select the Roles tab and click netwitness_add.png.
    The Services Security view is displayed and five pre-configured roles are already listed.
    122_RolesTb1_1222.png
  4. Click netwitness_add.png, type the Role Name and press Enter.
    The Role Name is displayed above a list of Role Permissions.
  5. Select each permission the role will have on the service.
  6. Click Apply.

You can add service users to the role in the Users tab.

Change a Service User Password

This procedure allows administrators to change the password of a service user and replicate the new password to all Core services with that user account defined. It replicates only the password change to the Core services selected and does not replicate the entire user account. Administrators can also change the password of the admin account on the Core services.

Note: The Change Password option does not apply to external users.

To change the password of a service user:

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
    The Admin Services view is displayed.
  2. Select a service, then click netwitness_actiondd.png > View > Security.
    The Security view for the selected services is displayed.
  3. In the Users tab, select a user and select Change Password from netwitness_actiondd.png.
    The Change Password dialog is displayed.
    netwitness_chgpwddb_500x450.png
  4. Type a new password for the user and confirm the password.
  5. Select the services where you want the user password to change.
  6. Click Change Password.
    The status of the password change on the selected services is displayed.

IMPORTANT: If you change the admin password on a NetWitness service that is used as a Reporting Engine data source, you must remove and then re-add the service as a data source.

Create and Manage Service Groups

The Admin Services view provides options to create and manage groups of services. The Services list toolbar includes options to create, edit, and delete service groups. Once groups are created, you can drag individual services from the Services panel into a group.

Groups may reflect functional, geographical, project-oriented, or any other organization principle that is useful. A service may belong to more than one group. Here are some examples of possible groupings.

  • Group different service types to make it easier to configure and monitor all Brokers, Network Decoders, or Concentrators.
  • Group services that are part of the same data flow; for example, a Broker, and all associated Concentrators and Network Decoders.
  • Group services according to their geographic region and location within the region. If a major power outage occurs in a location, potentially affected services are easily identifiable.

Create a Group

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
    The Admin Services view is displayed.
  2. In the Groups panel toolbar, click netwitness_add.png.
    A field for the new group opens with a blinking cursor.
    netwitness_srvgrpaddfield.png
  3. Type the name of the new group in the field (for example, A New Group) and press Enter.
    The group is created as a folder in the tree. The number next to the group indicates the number of services in that group.
    netwitness_srvgrpaddnew_248x253.png

Change the Name of a Group

  1. In the Services view Groups panel, double-click the group name or select the group and click netwitness_edit.png. The name field opens with a blinking cursor.
  2. Type the new name of the group and press Enter.
    The name field closes and the new group name is displayed in the tree.

Add a Service to a Group

In the Services view Services panel, select a service and drag the service to a group folder in the groups panel.
The service is added to the group.

View the Services in a Group

To view the services in a group, click the group in the Groups panel.

The Services panel lists the services in that group.

Remove a Service from a Group

  1. In the Services view Groups panel, select the group that contains the service that you want to remove. The services in that group appear in the Services panel.
  2. In the Services panel, select one or more services that you want to remove from the group, and in the toolbar, select netwitness_delete.png > Remove from Group.
    The selected services are removed from the group, but are not removed from the NetWitness user interface. The number of services in the group, which is listed near the group name, decreases by the number of services removed from the group. The All group contains the services that are removed from the group.
    In the following example, the service group called A New Group does not contain any services, because the service in that group is removed.
    netwitness_srvgrpaddnew.png

Delete a Group

  1. In the Services view Groups panel, select the group that you want to delete.
  2. Click netwitness_delete.png.
    The selected group is removed from the Groups panel. The services that were in the group are not removed from the NetWitness user interface. The All group contains the services from the deleted group.

Duplicate or Replicate a Service Role

An efficient way to add a new service role is to duplicate a similar role, save it with a new name and revise the permissions that are already assigned. For example, you could duplicate the Analysts role. Then, save it as JuniorAnalysts and modify the permissions.

The quick way to add an existing role to other services is to replicate the role. For example, you could replicate the JuniorAnalysts role that exists on a Broker to a Concentrator and Log Decoder.

To navigate to the Services Security view:

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a service, then click netwitness_actiondd.png > View > Security.
    The Security view for the selected service is displayed with the Users tab open.
  3. Select the Roles tab.

Duplicate a Service Role

  1. In the Roles tab, select the role you want to duplicate.
    122_RolesTb1_1222.png
  2. Click netwitness_ic-duplicate.png > Duplicate Role.
  3. Type a new name and click Apply.
  4. Select the new role.
  5. In the Role Permissions section, select or deselect permissions to modify what the new role can do.

Replicate a Role

  1. In the Roles tab, select the role you want to replicate and click Replicate.
  2. In the Replicate Role to Other Services dialog, select each service on which to add the role.
  3. Click Replicate.

Edit Core Service Configuration Files

The service configuration files for Network Decoder, Log Decoder, Broker, Concentrator, Archiver, and Workbench services are editable as text files. In the Services Config view > Files tab, you can:

  • View and edit a service configuration file that the NetWitness system is currently using.
  • Retrieve and restore the latest backup of the file you are editing.
  • Push the open file to other services.
  • Save changes made to a file.

The files available to edit vary depending upon the type of service being configured. The files that are common to all Core services are the:

  • The NetWitness file (netwitness). This is preconfigured and does not require editing.
  • The service index file (index-<service>). This is preconfigured and may require editing.
    See Edit a Service Index File for more information.
  • The scheduler file (scheduler). The scheduler service is optional and requires editing.
    See Configure the Task Scheduler for more information.
  • The crash reporter file (crashreporter). The crash reporter service is optional and requires editing.
    See Enable the Crash Reporter Service for more information.
  • The feed definitions file (feed-definitions). This file is optional and may require editing.
    See "Feed Definitions File" in the Decoder Configuration Guide for more information.

In addition, the Network Decoder has files that configure parsers, feed definitions, and a wireless LAN adapter. There is also the table mapping file provided by NetWitness, table-map.xml, which is an important part of the Log Decoder.

Note: The default values in these configuration files are good for the most common situations, however some editing is necessary for optional services, such as the crash reporter or scheduler. Only administrators with a good understanding of the networks and the factors that affect the way services collect and parse data should make changes to these files in the Files tab.

Edit a Service Configuration File

To edit a file:

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a service.
  3. Select netwitness_actiondd.png > View > Config.
    The Service Config view is displayed with the General tab open.
  4. Click the Files tab.
    cThe selected service, such as Concentrator, appears in the drop-down list on the right.
  5. (Optional) To edit a file for the host instead of the service, select Host in the drop-down list.
  6. Choose a file from the Please Select A File To Edit drop-down list.
    ​The file content is displayed in edit mode.
    122_CfgFilesTbEdit1_1222.png
  7. Edit the file and click Apply.

The current file is overwritten and a backup file is created. The changes go into effect after the service is restarted.

Revert to a Backup Version of a Service Configuration File

After you make changes to a configuration file, save the file, and restart the service, a backup file is available.

To revert to a backup of a configuration file:

  1. Select a configuration file by completing steps 1-6 of Edit a Service Configuration File.
  2. Click netwitness_icon-getbackup.png.
    The backup file opens in the text editor.
  3. To revert to the backup version, click Save.

The changes go into effect after the service is restarted.

Push a Configuration File to Other Services

Once you have edited a service configuration file, you can push the same configuration to other services of the same type.

  1. Select a configuration file by completing steps 1-6 of Edit a Service Configuration File.
  2. Click netwitness_icon-push.png.
    The Select Services dialog is displayed.
  3. Select each service to push the configuration file on it. Each service must be the same type as the one you selected in the Services view.

    Caution: If you decide not to push the configuration file, click Cancel.

  4. To push the configuration file to all selected services, click OK.

The configuration file is pushed to all selected services.

Edit a Service Index File

This topic provides important information and guidelines for configuring service custom index files, which are editable in the Service Config view > Files tab.

The index file, along with other configuration files, controls operation of each core service. Accessing the index file through the Service Config view in NetWitness opens the file in a text editor, where you can edit the file.

Note: Only administrators with a thorough and comprehensive understanding of Core service configuration are qualified to make changes to an index file, which is one of the central configuration files for the appliance service. Changes made should be consistent across all Core services. Invalid entries or a misconfigured file can prevent the system from starting and can require the assistance of NetWitness Support to bring the system back into a working state.

These are the index files:

  • index-broker.xml, and index-broker­custom.xml
  • index-concentrator.xml, and index-concentrator‐custom.xml
  • index-decoder.xml, and index-decoder­custom.xml
  • index-logdecoder.xml, and index-logdecoder­custom.xml
  • index-archiver.xml, and index-archiver‐custom.xml
  • index-workbench.xml, and index-workbench‐custom.xml

Index and Custom Index Files

All customer-specific index changes are made in index-<service>-custom.xml. This file overrides any settings in index-<service>.xml, which is solely controlled by NetWitness.

The custom index file, index-­<service>­‐custom.xml, allows creation of custom definitions or overrides of your own language keys that are not overwritten during the upgrade process.

  • Keys that are defined in index-­<service>­‐custom.xml replace the definitions found in index-­<service>.xml.
  • Keys that are added to index-<service>­custom.xml and not found in index‐<service>.xml are added to the language as a new key.

Some common applications for editing the index file are:

  • To add new custom meta keys to add new fields to the NetWitness user interface.
  • To configure protected meta keys as part of a data privacy solution as described in the Data Privacy Management Guide.
  • To adjust the NetWitness Core database query performance as described in the NetWitness Core Database Tuning Guide.

Caution: Never set the index level to IndexKeys or IndexValues on a Network Decoder if you have a Concentrator or Archiver aggregating from the Network Decoder. The index partition size is too small to support any indexing beyond the default time meta key.

Configure the Task Scheduler

Scheduler File

You can edit the scheduler file that in the Service Config view > Files tab. This file configures the built-in task scheduler for a service. The task scheduler can automatically send messages at predefined intervals or specific times of the day.

Scheduler Task Syntax

A task line in the scheduler file consists of the following syntax, where <Value> has no spaces:

<ParamName>=<Value>

If <Value> has any spaces, this is the syntax:

<ParamName>="<Value>"

In each task line, these guidelines apply:

  • Parameter time or one of the interval parameters (seconds, minutes or hours) is required.
  • Escape special characters with a \ (backslash).

Task Line Parameters

The following task line parameters are accepted by the scheduler.

Syntax Description
daysOfWeek: <string, optional, {enum-any:sun|mon|tue|wed|thu|fri|sat|all}> The days of week to execute a task. The default value is all.
deleteOnFinish: <bool, optional> Delete the task when it has successfully finished.
hours: <uint32, optional, {range:1 to 8760}> The number of hours between executions.
logOutput: <string, optional> Output the response to log using the specified module name.
minutes: <uint32, optional, {range:1 to 525948}> The number of minutes between executions.
msg: <string> The message to send the node.
params: <string, optional> The parameters for the message.
pathname: <string> The path of the node that receives the message.
seconds: <uint32, optional, {range:1 to 31556926}> The number of seconds between executions.
time: <string> The time of execution in HH::MM:SS format (local time of this server).
timesToRun: <uint32, optional> How many times to run because service start, 0 = unlimited (default).

Messages

The following are the message strings to use in the Task Scheduler msg parameter.

Message Description
addInter Add a task to run at a defined interval. For example, this message runs the /index save command every 6 hours:
addInter hours=6 pathname=/index msg=save
addMil Add a task to run at a specific time of day or even day(s) of the week. For example, this message runs the /index save command at 1 AM every business day:
addMil time= 01:00:00 pathname=/index
msg=save daysOfWeek=mon,tue,wed,thu,fri
delSched Deletes an existing scheduled task. The id parameter of the task must be retrieved from the print message.
print Prints all scheduled tasks.
replace Assign all scheduled tasks in one message, deleting any existing tasks.
save Save node.

Sample Task Line

The following example task line in the scheduler file downloads the feeds package file (feeds.zip) to the selected Network Decoder every 120 minutes from the feeds host server:
minutes=120 pathname=/parsers msg=feed params="type\=wget file\=http://feedshost/nwlive/feeds.zip"

Enable the Crash Reporter Service

The Crash Reporter is an optional service for NetWitness services. When activated for any of the Core services, the Crash Reporter automatically generates a package of information to be used for diagnosing and solving the problem that resulted in the service failure. The package is automatically sent to NetWitness for analysis. The results are forwarded to NetWitness Support for any further action.

The information package sent to NetWitness does not contain captured data. This information package consists of the following information:

  • Stack trace
  • Logs
  • Configuration settings
  • Software version
  • CPU information
  • Installed RPMs
  • Disk geometry

The Crash Reporter crash analysis can be activated for any Core product.

The crashreporter.cfg File

One of the files available for editing in the Service Config view > Files tab is crashreporter.cfg, the Crash Reporter Client Server configuration file.

This file is used by the script that checks, updates, and builds crash reports on the host. The list of products to monitor can include Network Decoders, Concentrators, Brokers, and hosts.

This table lists the settings for the crashreporter.cfg file.

Setting Description
applicationlist=decoder, concentrator, host Define the list of products to monitor.
sitedir=/var/crashreporter Location of the site directory for the report.
webdir=/usr/share/crashreporter/Web Location of the web directory.
devdir=/var/crashreporter/Dev Location of the development directory.
datadir=/var/crashreporter/data Location of the directory storing data files.
perldir=/usr/share/crashreporter/perl Location of the Perl files.
bindir=/usr/share/crashreporter/bin Location of the binary executables.
libdir=/usr/share/crashreporter/lib Location of the binary libraries.
cfgdir=/etc/crashreporter Location of the configuration files.
logdir=/var/log/crashreporter Location of the log files.
scriptdir=/usr/share/crashreporter/scripts Location of the directory containing scripts.
workdir=/var/crashreporter/work Location of the process work directory.
sqldir=/var/crashreporter/sql Location where created SQL files are placed.
reportdir=/var/crashreporter/reports Location where temporary reports are created.
packagedir=/var/crashreporter/packages Location of the created package files.
gdbconfig=/etc/crashreporter/crashreporter.gdb Location of the gdb configuration file.
corewaittime=30 Define the number of seconds to wait after finding a core to determine if the core is still being written.
cyclewaittime=10 Define the number of minutes to wait between search cycles
deletecores=1

Specify if the Core files should be deleted after report.
0 = No
1 = Yes

Note: Until the Core file is deleted, it is reported each time crashreporter is restarted.

deletereportdir=1

Specify if the report directory should be deleted after the report. Useful to view ore reports on box.
0 = No
1 = Yes

Note: If not deleted, the directory will be included in each subsequent package.

debug=1 Specify whether debugging messages are turned on or off in the crashreporter logging output.
0 = No
1 = Yes
posturl=https://www.netwitnesslive.com/
crash...ter/submit.php
Define the webserver post URL.
postpackages=0 Specify if the packages should be posted to the webserver.
0 = No
1 = Yes
deletepackages=1 Specify if packages should be deleted after they are posted to webserver.
0 = No
1 = Yes

Configure the Crash Reporter Service

To configure the Crash Reporter service:

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a service and click netwitness_actiondd.png > View > Config.
  3. Select the Files tab.
  4. Edit crashreporter.cfg.
  5. Click Save.
  6. To display the Service System view, select Config > System.
  7. To restart the service, click netwitness_icon-shutdownservice.png.
    The service shuts down and restarts.

Start and Stop the Crash Reporter Service

To start the Crash Reporter Service:

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a service and click netwitness_actiondd.png > View > System.
  1. In the toolbar, click netwitness_hosttasks.png.
    The Host Task List is displayed.
  2. In the Task drop-down list, select Start Service.
  3. In the Arguments field, type crashreporter, then click Run.
    netwitness_htlcrshrpt_450x341.png

The Crash Reporter service is activated and remains active until you stop it.

To stop the Crash Reporter service, select Stop Service from the Task drop-down list.

Maintain the Table Map Files

The table mapping file provided by NetWitness, table-map.xml, is a very important part of the Log Decoder. It is a meta definition file which also maps the keys used in a log parser to the keys in the metadb.

Note: Do not edit the table-map.xml file. If you want to make changes to the table-map, make them in the table-map-custom.xml file. The latest table-map.xml file is available on Live Services, which NetWitness updates as required. If you make changes to the table-map.xml file, they can be overwritten during a content or service upgrade.

The table map and custom table map files have two purposes:

  • To translate the variables used in the Log Parsers to NetWitness meta key names
  • To tell the system which keys to move onto the Concentrator.

For example, look at the out-of-the-box Palo Alto log parser, and examine one of its meta keys: stransaddr. This key represents the source translated address. If we look in the table-map.xmlfile we can see that this variable is listed as Transient:

<mapping envisionName="stransaddr" nwName="stransaddr" flags="Transient" format="Text" />

Because this variable is listed as, Transient, it never moved to the Concentrator. In fact, if you look at all the metadata that we parse from that log in the Concentrator, it is not listed as an available key.

Assume we change the value in the table-map-custom.xmlfile to the following:

<mapping envisionName="stransaddr" nwName="stransaddr" flags="None" format="Text" />

In this case, the key-value pair would get copied to the Concentrator, and from there you can choose whether or not to index it.

In thetable-map.xmlfile, some meta keys are set to Transient and some are set to None. To store and index a specific meta key, the key must be set to None. To make changes to the mapping, you need to create a copy of the file named table-map-custom.xml on the Log Decoder and set the meta keys to None.

For meta key indexing:

  • When a key is marked as None in the table-map.xml file in the Log Decoder, it is indexed.
  • When a key is marked as Transient in the table-map.xml file in the Log Decoder, it is not indexed. To index the key, copy the entry to the table-map-custom.xml file and change the keyword flags="Transient" to flags="None".
  • If a key does not exist in the table-map.xmlfile, add an entry to the table-map-custom.xmlfile in the Log Decoder.

IMPORTANT: Do not update the table-map.xml file because an upgrade can overwrite it. Add all of the changes that you want to make to the table-map-custom.xmlfile.

Prerequisites

If you do not have a table-map-custom.xml file on the Log Decoder, create a copy of table-map.xml and rename it to table-map-custom.xml.

To verify and update the table mapping file:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list, select a Log Decoder and click netwitness_actiondd.png > View > Config.
  3. Click the Files tab and select the table-map.xml file.
    122_FilesTbTableMap1_1222.png
  4. Verify that the flags keywords are set correctly to either Transient or None.
  5. If you need to change an entry, do not change the table-map.xml file. Instead, copy the entry, select the table-map-custom.xml file, find the entry in the table-map-custom.xml file and change the flags keyword from Transient to None.
    For example, the following entry for the hardware.id meta key in the table-map.xml file is not indexed and the flags keyword shows as Transient:
    <mapping envisionName="hardware_id" nwName="hardware.id" flags="Transient"/>
    To index the hardware.id meta key, change the flags keyword from Transient to None in the table-map-custom.xml file:
    <mapping envisionName="hardware_id" nwName="hardware.id" flags="None"/>
  6. If an entry does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file.
  7. After making your changes to the table-map-custom.xml file, click Apply.

Caution: Before changing the table mapping files, carefully consider the effect of changing the index from Transient to None because it can impact the available storage and performance of the Log Decoder. For this reason, only certain meta keys are indexed out-of-the-box. Use the table-map-custom.xml file for different use cases.

Edit or Delete a Service

You can edit service settings, such as changing the host name or port number, or deleting a service that you no longer need.

Each of the following procedures starts in the Services view.

To navigate to the Services view, in NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.

122_AdmSrvVw1_1222.png

Edit a Service

  1. In the Services view, select a service and either click netwitness_edit.png or netwitness_actiondd.png > Edit.

    The Edit Service dialog is displayed. It shows only the fields that apply to the selected service.

    netwitness_editsrvssl.png

  2. Edit the service details by changing any of the following fields:

    • Name
    • Port - Each Core service has two ports, SSL and non-SSL.
    • SSL - For trusted connections, you must use SSL.
    • Username and Password - Use these credentials to test the connection to a service.
      1. If you use a trusted connection, delete the username.
        If you do not use a trusted connection, type a username and password.
      2. Click Test Connection.
  3. Click Save.

Delete a Service

  1. In the Services view, select one or more services and either click netwitness_delete.png or netwitness_actiondd.png > Delete.
  2. A dialog requests confirmation. To delete the service, click Yes.

The deleted service is no longer available to the NetWitness modules.

Edit Service Hierarchy Timeout Settings

The Investigate > Events page may take longer than expected to load if the list of services to load has Core hosts that are switched off adversely. In such scenarios, NetWitness Platform users can customize the hierarchy-call-time-out parameter. This customization will allow the Services to load quickly before the request is timed out. The default value is 5 seconds.

1231_EventsSlowLoad.png

To reduce the Service Hierarchy Timeout:

  1. In NetWitness Platform, select   AdminIcon.png (Admin) > Services > Investigate Server > Explore > Investigate/response.

  2. In the hierarchy-call-time-out field, provide the time in seconds. The default time is set to 5 seconds. The time taken to load service hierarchy from Core Services will be a factor of customized hierarchy-call-time-out times the number of offline/in-accessible services.

    Note: The duration it takes for NetWitness Platform to load Services is the result of the total time it takes to communicate with all services present in a deployment. This load time may vary due to several factors, such as inaccessible services, stale connections, or incorrect host connection status in the cache due to a host being improperly switched off.

    Service_Hierarchy_Timeout.png

Explore and Edit Service Property Tree

You have advanced access and control of service functionality in the Services Explore view, which consists of two parts. The Node list displays service functionality in a tree structure of folders. The Monitor panel displays properties of the folder or file selected in the Nodes list.

Each of the following procedures starts in the Explore view.

To navigate to the Explore view:

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a service, then select netwitness_actiondd.png > View > Explore.

    The Explore view is displayed. The Node list is on the left and the Monitor panel is on the right.

    122_ExplVwMarkup31_1222.png

Display or Edit a Service Property

To display a service property:

  1. Right-click a file in the Node list or Monitor panel.
  2. Click Properties.

To edit the value of a service property:

  1. In the Monitor panel, select an editable property value.
  2. Type a new value.

Send a Message to a Node

  1. In the Properties dialog, select a message type from the drop-down list. Options vary according to the file selected in the Node list.
    A description of the selected message type is displayed in the Message Help field.
  2. (Optional) If the message requires them, type the Parameters.
  3. Click Send.
    The value or format is displayed in the Response Output field.

Terminate a Connection to a Service

You can view sessions that are running on a service in the Service System view. From within the list of sessions, you can terminate the session and the active queries in a session.

Terminate a Session on a Service

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.

    The Admin Services view is displayed.

  2. Select a service, and select netwitness_actiondd.png > View > System.

    The Services System view is displayed.

    122_SysVwBrkr1_1222.png

  3. In the Session Information list at the bottom, click a session number from the Session column.

    The confirmation dialog is displayed.

  4. Click Yes.

Terminate an Active Query in a Session

  1. Scroll down to the Sessions list.
  2. In the Active Queries column, click a non-zero count of active queries for a session. You cannot click on it if there are 0 active queries.

    The Active Queries dialog is displayed.

    netwitness_activequeries2.png

  3. Select a query and click Cancel Query.

    The query stops and the Active Queries column is updated.

Search for Services

You can search for services from the list of services in the Services view. The Services view enables you to quickly filter the list of services by Name, Host, and Service Type. You can use the Filter drop-down menu and the Filter field separately or at the same time to filter the Services view.

Search for a Service

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services list toolbar, type a service Name, Host, or service Type in the Filter field.
    netwitness_servfilter.png

    The Services panel lists the services that match the names entered in the Filter field. The following example shows the search results after starting to type log in the filter field.
    netwitness_srvfilternm1_750x290.png

Filter Services by Type

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, click netwitness_ic-filt.png and select the service types that you want to appear in the Services view.

netwitness_filterdropdown.png

The selected service types appear in the Services view. The following example shows the Services view filtered for Concentrator and Log Decoder.

netwitness_srvfilternm2.png

Find the Services on a Host

In addition to being able to locate the services for a host in the Services view, you can also quickly find the services that run on a host in the Hosts view.

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Hosts.
  2. In the Hosts view, select a host and click the box that contains a number (the number of services) in the Services column.

    A list of the services on the selected host is displayed.

    In the following example, a list of two services on the selected host are listed after clicking the box containing the number 2.

    122_HstVwSrvCount2_1222.png

  3. You can click the service links to view the services in the Services view.

Start, Stop, or Restart a Service

These procedures apply to Core services only.

Each of the following procedures starts in the Services view. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.

Start a Service

  1. Select a service and click netwitness_actiondd.png > Start.

Stop a Service

When you stop a service, all of its processes stop and active users are disconnected from it.

To stop a service:

  1. Select a service and click netwitness_actiondd.png > Stop.
  2. A dialog requests confirmation. To stop the service, click Yes.

Restart a Service

Occasionally, you have to restart a service for changes to take effect. When you change a parameter that requires a restart, NetWitness displays a message.

To restart a service:

  1. Select a service and click netwitness_actiondd.png > Restart.
  2. A dialog requests confirmation. To stop the service, click Yes.

The service stops, then restarts automatically.

View Service Details

You can view and edit information about services using options in the View menu for a service.
netwitness_viewmenuleft.png

Purpose of Each Service View

Each view displays a functional piece of a service and is described in detail in its own section:

  • Services System View shows a summary of service, appliance service, service user, host user, and session information.
  • Services Stats View provides a way to monitor service operations and status.
  • Services Config View is for configuring all aspects of a service.
  • Services Explore View is for viewing and editing host and service configurations.
  • System Logging Panel shows service logs that you can search.
  • Services Security View is a way to add NetWitness Platform Core user accounts for aggregation, thick client users, and REST API users.

Access a Service View

To access a view for a service:

  1. In NetWitness, go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a service and click netwitness_actiondd.png > View.

    The View menu is displayed.

    netwitness_view.png

  3. From the options on the left, select a view.

    Below is an example of the Services System view for a Broker.
    122_SysVwBrkr1_1222.png

  4. Use the toolbar to navigate:

    netwitness_serviceviewtoolbar2.png

    1. Click Change Service to select another service.
      The Administrate Service dialog is displayed.
    2. Select the checkbox to the left of the service that you want.
    3. Select the view that you want for the service you selected in the View drop-down list.

      netwitness_chgsrvvwsel.png

      The new view (for example, Stats) is displayed for the service you selected.

View Topology Details

Note: This feature is supported in 11.7 and later.

Note: To view the Service Topology Tab, you must ensure this feature is enabled under Admin Server > Explorer > Feature> service-topology-feature.

Administrators and analysts can view all the NetWitness core services in a hierarchical layout depicting the collection and aggregation of the services in your deployment. This visualization displays the topology for Broker, Concentrator, Log Decoder, Packet Decoder, Hybrids, ESA and Log Collector and provides insights on which:

  • Broker aggregates from the Concentrators.

  • Concentrator aggregates from the Log Decoders.

  • Log Decoder receives data from the Log Collectors.

  • Log Collector sending data to other Log Collectors and vice-veNetWitness and the direction of the data flow.

Note: Services such as Reporting Engine, Malware Analysis, UEBA, Endpoint Server, Cloud Link Service, and Warehouse connector are not supported.

The topology is automatically refreshed once in 3 hours. You can click on any node to view the details.

To view the Topology:

  1. Click netwitness_configtopology_17x13.png > Service Topology.

  2. Do one of the following:

    • Scroll horizontally to view the complete topology.

    • Click Search and enter the service name to locate a specific service. The specific service will be highlighted in blue color in the hierarchical layout.

    1. Click on the node to view the details.
      For more information, see Services Topology View topic.

122_SrvcTopo_nodes_1222.png

Centralized Service Configuration via Policy

Note: The information in this section applies to NetWitness Platform Version 11.7 and Later.

Centralized Service Configuration allows you to manage the configuration of services in your environment efficiently. The Decoder, Concentrator, and Log Decoder deployed in your environment may be large in number and geographically distributed. Managing common configurations across the services can be time consuming. With Centralized Service Configuration, you can centrally create a policy of common configuration settings and apply the policy to a set of groups.

Groups

A group is a set of services based on the service type Decoder, Concentrator, and Log Decoder. You can create a group and assign policy to it based on your requirement. For example, group all the 10G Decoder services or group services within a geographical area. For more information on creating groups, see Creating Groups and Policies.

Policies

A Policy is a set of service configurations that you can apply to a set of groups. This allows you to efficiently manage the service settings. Once you create a customized policy, you can assign it to a group.

Benefits of Centralized Service Configuration 

  • Apply customized settings in one step to any number of services

  • Centrally restart all services within a group (when needed) to apply changes

  • Indicates when an action is required, such as service restart, failed publication, or Out of Compliance services

  • Clone policy to quickly create similar policies with minor changes

  • Quickly revert changes to a policy in case of issues

  • Groups of the same service type can be created based on similar hardware profiles or other criteria

  • Add configuration items to policies in order to customize settings. Any settings which are not in the policy will be left as default

  • (For version 11.7.1 and Later) Reconfigure 10G Network Decoders from the Policy UI. Administrators can quickly create 10G policies for each Decoder group based on the hardware profile

  • (For version 11.7.1 and Later) Clone policy from an existing service, to save policy transition time for existing users

Creating Groups and Policies

Create a Group

You can create a group with one or more services and assign one policy to it. Atleast one service is required to publish a group.

To create a group:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. In the left panel, click Groups.

  3. In the tool bar, click netwitness_polcrenew_72x18.png.

  4. In the New Group panel, do the following:

    • Enter the name of the group.

    • Enter a description for the group.

    • Select the type of service for the group.

  1. Click Next.

  2. In the Define Group, click netwitness_ic-circled-plus.png to assign services to the group.

Note: A service is disabled if it is assigned to another group.

  1. Click Next.

  2. In the Assign Policies, click netwitness_ic-circled-plus.png to assign one policy to a group. Make sure that the policy and group is of same service type.

  3. Do any one of the following:

    • Click Save and Publish to save and publish the policy.

      The Publish and Restart Services dialog is displayed only if some settings require a service restart for the changes to take effect. In the Publish and Restart Services dialog, do any one of the following:

      • To publish and restart the services immediately, click Publish & Restart.

      • To publish and restart the services later, click Publish & Restart Later. In this case you must restart the services manually.

      • To cancel the restart dialog, click Cancel.

      The settings that do not require restart will be applied immediately.

    • Click Save and Close to save the settings.

    Create a Policy

    You can create a policy and assign it to one or more groups.

    To create a policy:

    1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

    2. Click Policies.
      The available policies are displayed.

    3. Click netwitness_polcrenew_72x18.png to add a new policy.

    4. In the New Policy panel, do the following:

      • Select the policy type from the drop-down list.

      • Enter a unique policy name.

      • Enter a description for the policy.

      • Select the service type for the policy from the drop-down list.

      • (For version 11.7.1 and Later) Select the service from which you want to clone the settings.

    5. Click Next.

    6. Do any one of the following:

      • Customize the settings for the policy based on your requirement, for example, in the Database setting, click netwitness_ic-circled-plus.png and change the Policy value to sha256 or change the byte range to 10 MB.

        Note: (For version 11.7.1 and Later) If you have preferred to clone from existing service, the setting values are populated automatically from the selected service on customize settings section. You can also add or modify the settings based on your requirement.

      • (For version 11.7.1 and Later) To configure 10g Settings:

        • Click 10g Settings.

        • Select the Decoder service to fetch the settings.

        • Click Done.

    7. In the Group List, click netwitness_ic-circled-plus.png to assign groups to the policy. The policy and group should be of same service type.

    Note: A group is disabled if another policy of the same type is already assigned to this group.

    1. Do any one of the following:

      • Click Save and Publish to save and publish the policy.

        The Publish and Restart Services dialog is displayed only if some settings require a service restart for the changes to take effect. In the Publish and Restart Services dialog, do any one of the following:

        • To publish and restart the services immediately, click Publish & Restart Now.

        • To publish and restart the services later, click Publish & Restart Later. In this case you must restart the services manually.

        • To cancel the restart dialog, click Cancel.

        The settings that do not require restart will be applied immediately.

      • Click Save and Close to save and return to the Policies view.

    Managing Groups and Policies

View a Group

To view properties of the selected group:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. Click Groups. The available groups are displayed.

  3. Click a row to view details about the selected group in the right panel.

Delete a group

You can delete one or more groups. Once a group is deleted, the services and policies in the group will no longer displays the deleted group details.

To delete a group:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. Click Groups. The available groups are displayed.

  3. Select one or more groups and click Delete.

The confirmation message is displayed.

Edit a Group

You can edit the properties of the group at any point in time. The service type cannot be edited. The status of the updated group is unpublished if you change the service or policies in a group. If you just change the group name and description the status remains published (if it is already published).

To edit a group:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. Click Groups. The available groups are displayed.

  3. Select a group and click Edit.

Note: You cannot edit the service type.

  1. Make the required changes in the group.

  2. Do any one of the following:

    • Click Save and Publish to save and publish the policy.
      The policy will be listed under the published category.

    • Click Save and Close to save the settings and return to the Groups view.

Filter Groups

The Filters Panel allows you to filter the list of displayed groups, based on the service type:

  • Decoder

  • Log Decoder

  • Concentrator

Additionally, you can filter based on publication status or service status:

  • Published: Groups that are published.

  • Unpublished: Groups that are saved but not published.

  • Failed: Groups that are failed to publish.

  • N/A: Groups for which publication status is not applicable.

  • Service Require Restart: The services associated with the group that require restart.

The Filters panel can be hidden or displayed:

  • To display if hidden, click netwitness_icon-filter.png in the toolbar.

  • To hide, click netwitness_ic-x-close2.png at the top-right of the panel.

Delete a Policy

To delete a policy:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. Click Policies. The available policies are displayed.

  3. Select one or more policies and in the More Actions drop-down list in the tool bar, click Delete.

The delete dialog is displayed.

Note: The services associated with this policy still require a restart if the restart is pending.

  1. Click Delete to permanently delete the selected policies.

The deletion will take effect immediately.

Revert a Policy

You can revert a policy to the previously published version for a maximum of 5 times. Once a policy is reverted you cannot get back to the newer version and you must publish a policy.

Note: The revert is disabled if there is no previously published version.

To revert a policy:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. Click Policies. The available policies are displayed.

  3. Select a policy and in the More Actions drop-down list in the tool bar, click Revert.
    All changes made to policy will be discarded and reverted to the previously published version. You must publish the policy once it is reverted.

Note: If there are any missing settings in the previously published version, then a default value is set for those settings.

Clone a Policy

You can clone only one policy at a time. Once cloned, all the settings from the old policy is copied to the new policy.

To clone a policy:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. Click Policies. The available policies are displayed.

  3. Select a policy to clone and in the More actions drop-down list in the tool bar, click Clone.

The policy is cloned successfully.

Edit a Policy

You can edit the settings of the policies. The service type and policy type cannot be edited. Once the policy is edited the changes in the policy is reflected upon saving the policy. The updated settings are applied to the service if published.

After saving and before publishing the publication status of the changed policy is set to Unpublished if any settings is changed.

To edit a policy:

  1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

  2. Click Policies. The available policies are displayed.

  3. Select a policy and click Edit.

  4. Make the required changes in policy.

Note: You cannot edit service type and policy type.

  1. Do any one of the following:

    • Click Save and Publish to save and publish the policy.
      The policy will be listed under the published category.

    • Click Save and Close to save the settings and return to the Policies view.

View a Policy

To view a policy:

1. Go to netwitness_configureicon_23x20.png (CONFIGURE) > Policies.

2. Click Policies. The available policies are displayed.

3. Click a row to view details about the selected policy in the right panel.

Filter Policies

The Filters Panel allows you to filter the list of displayed policies, based on the policy status and service type:

  • Published: Policies that are published.

  • Unpublished: Policies that are saved but not published.

  • Failed: Policies that are failed to publish.

  • N/A: Policies for which publication status is not applicable.

The Filters panel can be hidden or displayed:

  • To display if hidden, click netwitness_icon-filter.png in the toolbar.

  • To hide, click netwitness_ic-x-close2.png at the top-right of the panel.