Reset File Collection BookmarksReset File Collection Bookmarks
In cases where issues have caused logs to be lost, or not correctly sent to the Log Decoder, you can resend messages in log files by resetting the bookmarks for those log files.
Note: For security reasons, NetWitness does not allow resetting bookmarks from the agents. Rather, you must do so from an Endpoint Server.
The following procedure describes how to reset bookmarks for file collection logs.
Note: Currently, you can reset bookmarks for all sources or just one specific source, by providing a list in a JSON file.
Construct a JSON File to Identify Agents and Event Source Types for ResetConstruct a JSON File to Identify Agents and Event Source Types for Reset
First, you need to construct a JSON file using the following structure:
{
"agentIds": [],
"sourceType" : ""
}
where:
- agentIds: a list of the IDs for one or more Endpoint Agents: these are the individual agents on which the source log files reside.
- sourceType: this is a list of the file event source type or types for which you want the log file bookmarks to be reset.
For details on finding agent IDs and source types, see How to Find Agent IDs and Source Types below.
For example, the following source code snippet could be used to delete bookmarks for all sources on 3 agents:
{
"agentIds": ["43F27B6E-A02D-955A-9607-2DFC5D17B6E7",
88AD4B2C-192B-B50E-A125-C05B801301AA"
"3899038D-8F42-BC93-5BA7-ECBFC309D6A3"],
"sourceType": "ALL"
}
Similarly, the following source code snippet could be used to delete bookmarks for apache sources on 3 agents:
{
"agentIds": ["43F27B6E-A02D-955A-9607-2DFC5D17B6E7",
88AD4B2C-192B-B50E-A125-C05B801301AA"
"3899038D-8F42-BC93-5BA7-ECBFC309D6A3"],
"sourceType": "apache"
}
Reset BookmarksReset Bookmarks
Perform the following steps to reset the bookmarks that you specified in a JSON-formatted file:
- SSH to the NetWitness Admin Server.
- Run nw-shell command. for details about using the NetWitness shell, see the Shell User Guide, available in NetWitness Link.
-
After nw-shell starts, connect to an Endpoint Server service, using the following command:
connect --service endpoint-server.serviceID
where serviceID is identifier for the Endpoint Server that hosts the agents you are changing. See How to Find Endpoint Service IDs for details on how to retrieve the service ID.
-
Change to the directory where the reset command resides:
cd endpoint/command/reset-bookmark
-
Login with an administrator account.
-
Type the login command:
login
- Enter the user name for your admin account.
- Enter the password for your admin account.
-
-
Run the reset command: you need to provide the JSON path and filename that you created earlier.
invoke --file <path and filename for JSON>
For example:
invoke --file /tmp/test.json
The bookmarks for each log file identified in your JSON file are reset. The following image shows an example NetWitness Shell session:
How to Find Agent IDs and Source TypesHow to Find Agent IDs and Source Types
To find the Agent IDs for agents, go to Hosts > <select an Agent>, then click the Host Details panel, and scroll down to the Agent section, where the Agent ID is shown:
To find the source types, go to Hosts > <select an Agent>, then click the Policy Details panel, expand Agent File Logs, view the Source Settings for the source type name to use:
How to Find Endpoint Service IDsHow to Find Endpoint Service IDs
You can retrieve the service ID for an Endpoint Server by using SSH to connect to it.
To retrieve the service ID for an Endpoint Server:
- SSH to the NetWitness Endpoint Server for which you need to retrieve the ID. The IP address is available under
(Admin) > Hosts. The IP address for each host is listed in the Host column of the table.
-
View the file that contains the ID by running the following command:
cat /etc/netwitness/endpoint-server/service-id
It returns the Endpoint Server ID, for example:
38909c2f-7a9b-415a-b567-f49a19cf250e
