Collecting statistics for RSA Security Analytics Decoder via REST API

Tasks

This article provides instructions for collecting real-time statistics for an RSA Security Analytics Decoder appliance via the REST API using the UNIX curl command and include statistics such as packet capture rate, meta assembler rate, total bytes captured, etc.

Resolution

Decoder statistics can be collected with the curl command passed to the RSA SA REST API. By piping curl to grep, its possible to further filter the output based on the information desired. A sample is provided below:

 curl -u <username>:<password> "http://<decoder_ip_address>:50104/decoder/stats?msg=ls&force-content-type=text/plain&expiry=600" | grep <filter_string>

In the example below, the current and maximum packet capture rates are being collected.

 [root@localhost ~]# 
 curl -u admin:netwitness "http://192.168.1.5:50104/decoder/stats?msg=ls&force-content-type=text/plain&expiry=600" | grep packet.capture.rate
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
 
                                 Dload  Upload   Total   Spent    Left  Speed
 
100  3122  100  3122    0     0   575k      0 --:--:-- --:--:-- --:--:-- 1016k
 
capture.packet.rate (Capture Packet Rate (current)) = 34663
 
capture.packet.rate.max (Capture Packet Rate (maximum)) = 131012

Notes

Refer to the table below for other filters that can be applied to the curl command:

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.x, 11.x
Platform: CentOS

Summary

This article provides instructions for collecting real-time statistics for an RSA Security Analytics Decoder appliance using the command-line.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue