Quick question – if I need to decommission the entire RSA NetWitness
platform / servers, but still need access to Archiver logs for a certain
duration, what all components will I have to keep alive? As per my
knowledge, the following will have to be ...
We've got a requirement to move all our raw logs and meta stored on the
Archiver to the Splunk platform. Now, I see there's a document on the
Community that speaks of RSA NetWitness and Splunk. I’ve gone through
the document. I find procedures to piv...
I get the following error while deploying the rule. I've check the
syntax and it says rule is valid. ESA was unable to deploy one or more
rules, and these rules were disabled. Common issues include: missing
metadata, invalid rule syntax, and unavaila...
I see bytes.src metakey is said to capture Bytes Sent.rbytes metakey is
said to capture Bytes Received, and yet it is always empty.I do also see
bytes metakey, the value of which is always greater than bytes.src, but
this key is not indexed. What exa...
Upgrade from RSA SA 10.6.6 to NetWitness 11.3. I've run the backup
script, and am getting the following error for 4 of my 18 machines,
others are fine. 2019-09-10 18:32:47 +0100 | 29554 | Backing up
ETC(/etc) files from: VLC2019-09-10 18:32:55 +0100 ...
Hi Aaron, For some reason, I've been able to access the REST API UI of
the Archiver, and I just can't find the /sdk node. It doesn't exist. I
can see a list of other nodes like /logs, /appliance, /services, etc.
but not /sdk. I believe the raw logs a...
Hi Dave, Thanks for the response. I accessed the REST API for the
Archiver via port 50106. I do see a Logs folder there, but it contains
only System logs [authentication]. Where do I find the device logs?
Fixed. Error - The groupwin view must occur in the first position in
conjunction with multiple data windows. Simply switched the position of
groupwin() with unique(), to ensure the former was defined first in the
rule syntax sequence.