.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Configure Logstash Input Plugin
Configure NetWitness Export ConnectorConfigure NetWitness Export Connector
Note: Make sure you open the firewall of the Decoder or Log Decoder to establish connection with the Logstash. For more information, see "Network Architecture and Ports" in Deployment Guide for RSA NetWitness.
You must configure the Logstash configuration file to process the NetWitness events. Create a Logstash configuration file and add the NetWitness Export Connector plugin parameter settings for event processing. Save the file as netwitness-
A Logstash configuration file can have three separate sections for each type of plugin that you want to add to the event processing pipeline. The first section is for Input plugin (NetWitness Export Connector), the second section is for Filter plugin (optional) and the third section is for Output plugin.
To configure the NetWitness Export Connector plugin, add the parameter settings in the first section the Logstash configuration file.
For multiple pipelines configuration, see Multiple Pipelines Configuration documentation.
The configuration of each NetWitness Export Connector plugin must consist of the plugin name followed by a block of parameter settings for that plugin. If the NetWitness Export Connector has multiple plugins with block of parameters, they are applied in the order of their appearance.
The following is an example of NetWitness Export Connector with one plugin instance with block of parameter settings which fetches data from a single decoder .
input {
netwitness {
host => "
username => “
password => "
decoder_type => "logdecoder" # Mandatory
}
}
The following is an example of NetWitness Export Connector with two plugin instances with block of parameter settings which fetches data from two different decoders. Each plugin in the configuration is applied in the order as shown.
input {
netwitness {
host => "
username => “
password => "
decoder_type => "logdecoder" # Mandatory
}
netwitness {
host => "
username => “
password => "
decoder_type => "logdecoder" # Mandatory
}
}
Note: When configuring the Logstash, you may need to specify sensitive settings such as passwords. You can use the Logstash keystore to securely store secret values instead of file system permissions for using it in configuration settings. For more information, see Logstash keystore Documentation.
Following are the parameters accepted by NetWitness Export Connector.
Position tracking and start sessionPosition tracking and start session
Position tracking or bookmarking is used to track the sessions that are aggregated by logstash and sent to the consumer. Position tracking initiates automatically and updates the tracking file every 60 seconds in the path mentioned in position_tracking_path parameter in the configuration file. The file consists of two parts [sessionid,timestamp]. Default location is /var/lib/logstash, if it is not mentioned in the configuration file.
The start_session parameter accepts a number (long: primitive datatype) and indicates which is the first sessionid the plugin should request from its corresponding source. if the start_session parameter is not mentioned in the configuration file or if the value is mentioned as 0, the first session requested by the plugin will be the last.session.id + 1, last_session_id as in the decoder's REST API /database/stats/last.seesion.id.
if the position tracking file exists for a source and start_session is not configured or the start_session is set as value 0, the plugin with initiate aggregation from the sessionid indicated in the position tracking file.
if the position tracking file exists for a source and the start_session is set as non-zero value, the start_session value will take precedence over the position tracking file. The plugin will request from the session mentioned in the start_session parameter onwards.