Install and Configure the NetWitness CodecInstall and Configure the NetWitness Codec

To forward Logstash events to the NetWitness in RFC-5424 format, you need to install the NetWitness codec on your system and refer to it in your output plugin configuration.

To install or update the codec:

Note: The following procedure can be performed on either Linux or Windows: instructions that are specific to an OS are noted.

  1. Download offline installer from NetWitness Link in the following location: NetWitness Codec Installer
  2. Copy the downloaded NetWitness ZIP archive to the system where Logstash runs.

  3. Open a command prompt and change directory to Logstash home:

    • On Linux: cd /usr/share/logstash.

    • On Windows: cd: logstash_directory

      For example: cd: c:\Logstash\

  4. Stop the logstash service, if it is running.

    • On Linux, run the following command:

      systemctl stop logstash

    • On Windows, open the Services window (you can search for it or find it from the Start menu), then locate the Logstash service in the list and click Stop the service.

  5. Run the following command and check to see if logstash-codec-netwitness is listed.

    • On Linux:

      bin/logstash-plugin list

    • On Windows:

      .\bin\logstash-plugin list

  6. If it is listed, delete it by running the following command:

    • On Linux:

      bin/logstash-plugin remove logstash-codec-netwitness

    • On Windows:

      .\bin\logstash-plugin remove logstash-codec-netwitess

  7. To install the latest package, run the following command:

    • On Linux:

      bin/logstash-plugin install file:///<path-to-file>/logstash-codec-netwitness-offline-<version>.zip

    • On Windows:

      .\bin\logstash-plugin install file:///<path-to-file>/logstash-codec-netwitness-offline-<version>.zip

      Note: Make sure to use forward slashes (/) as a separator between Windows sub-folders for the path to the logstash installation package.

    If the codec is installed correctly, you receive a confirmation message. The following is an example:

    Installing file: /usr/share/logstash/logstash-codec-netwitness-offline-1.0.0.zip

    Install successful

  8. Below are default paths for logstash configurations. All output, filter, and input configuration files are under these folders.

    we would go over those configuration files in later sections.

    • For Linux: /etc/logstash/conf.d/

    • For Windows: logstash_directory/config/

    For details on output files, see Configure Logstash Output Plugins. For details on input and filter plugins, see Logstash Input and Filter plugins.

  9. Start the logstash service:

    • On Linux, run the following command:

      systemctl start logstash

    • On Windows, open the Services window (you can search for it or find it from the Start menu), then locate the Logstash service in the list and click Start the service.