Skip to content
  • There are no suggestions because the search field is empty.

Collecting statistics for RSA Security Analytics Decoder via REST API

Tasks

This article provides instructions for collecting real-time statistics for an RSA Security Analytics Decoder appliance  via the REST API using the UNIX curl command and include statistics such as packet capture rate, meta assembler rate, total bytes captured, etc.


Resolution

Decoder statistics can be collected with the  curl command passed to the RSA SA  REST API.  By piping curl to grep, its possible to further filter the output based on the information desired.  A sample is provided below:  
 
curl -u <username>:<password> "http://<decoder_ip_address>:50104/decoder/stats?msg=ls&force-content-type=text/plain&expiry=600" | grep <filter_string>

In the example below, the current and maximum packet capture rates are being collected.
[root@localhost ~]# curl -u admin:netwitness "http://192.168.1.5:50104/decoder/stats?msg=ls&force-content-type=text/plain&expiry=600" | grep packet.capture.rate
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3122  100  3122    0     0   575k      0 --:--:-- --:--:-- --:--:-- 1016k
capture.packet.rate (Capture Packet Rate (current)) = 34663
capture.packet.rate.max (Capture Packet Rate (maximum)) = 131012

Notes

Refer to the table below for other filters that can be applied to the curl command:

 
  • String: assembler.client.bytes
  • Description: Assembler Client Bytes

  • String: assembler.client.goodput.rate
  • Description: Assembler Rate Client Goodput (current)

  • String: assembler.client.goodput.rate.max
  • Description: Assembler Rate Client Goodput (maximum)

  • String: assembler.client.retrans
  • Description: Assembler Client Retransmit

  • String: assembler.meta.rate
  • Description: Assembler Rate Meta (current)

  • String: assembler.meta.rate.max
  • Description: Assembler Rate Meta (maximum)

  • String: assembler.packet.bytes
  • Description: Assembler Packet Bytes

  • String: assembler.packet.pages
  • Description: Assembler Packet Pages

  • String: assembler.packet.rate
  • Description: Assembler Rate Packet (current)

  • String: assembler.packet.rate.max
  • Description: Assembler Rate Packet (maximum)

  • String: assembler.packets
  • Description: Assembler Packets

  • String: assembler.server.bytes
  • Description: Assembler Server Bytes

  • String: assembler.server.goodput.rate
  • Description: Assembler Rate Server Goodput (current)

  • String: assembler.server.goodput.rate.max
  • Description: Assembler Rate Server Goodput (maximum)

  • String: assembler.server.retrans
  • Description: Assembler Server Retransmit

  • String: assembler.sessions
  • Description: Assembler Sessions

  • String: assembler.sessions.forced
  • Description: Assembler Sessions Forced

  • String: assembler.sessions.split
  • Description: Assembler Sessions Split

  • String: assembler.sessions.timed.out
  • Description: Assembler Sessions Timed Out

  • String: assembler.timespan
  • Description: Assembler Timespan

  • String: capture.avg.size
  • Description: Average Size of Captured Packets

  • String: capture.device
  • Description: Capture Device

  • String: capture.dropped
  • Description: Captured Packets Dropped

  • String: capture.dropped.percent
  • Description: Captured Packets Percent Dropped (current)

  • String: capture.dropped.percent.max
  • Description: Captured Packets Percent Dropped (maximum)

  • String: capture.filtered
  • Description: Captured Packets Filtered

  • String: capture.header.bytes
  • Description: Capture Header Bytes

  • String: capture.interface
  • Description: Capture Interface

  • String: capture.kept
  • Description: Captured Packets Kept

  • String: capture.packet.rate
  • Description: Packet Capture Rate (current)

  • String: capture.packet.rate.max
  • Description: Packet Capture Rate (maximum)

  • String: capture.payload.bytes
  • Description: Capture Payload Bytes

  • String: capture.rate
  • Description: Capture Rate (current)

  • String: capture.rate.max
  • Description: Capture Rate (maximum)

  • String: capture.received
  • Description: Captured Packets Received (total)

  • String: capture.status
  • Description: Capture Status

  • String: capture.total.bytes
  • Description: Capture Total Bytes

  • String: correlation.results.created
  • Description: Correlation Results Created

  • String: correlation.results.dropped
  • Description: Correlation Results Dropped

  • String: limiter.bytes.rate
  • Description: Limiter Rate Bytes (current)

  • String: limiter.bytes.rate.max
  • Description: Limiter Rate Bytes (maximum)

  • String: limiter.engaged
  • Description: Limiter Engaged

  • String: limiter.packets.dropped
  • Description: Packets dropped while limiter is engaged

  • String: pool.packet.assembler
  • Description: Packet Assemble Queue

  • String: pool.packet.capture
  • Description: Packet Capture Queue

  • String: pool.packet.write
  • Description: Packet Write Queue

  • String: pool.session.correlate
  • Description: Session Correlation Queue

  • String: pool.session.write
  • Description: Session Write Queue

  • String: rule.alert.session
  • Description: Rule Alert (Session)

  • String: time.begin
  • Description: Packet Database Time Begin

  • String: time.capture
  • Description: Capture Time Elapsed

  • String: time.end
  • Description: Packet Database Time End


Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Packet Decoder
RSA Version/Condition: 10.x, 11.x
Platform: CentOS

Summary

This article provides instructions for collecting real-time statistics for an RSA Security Analytics Decoder appliance using the command-line.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue