Skip to content
  • There are no suggestions because the search field is empty.

Configure Logstash Input Plugin

Configure NetWitness Export ConnectorConfigure NetWitness Export Connector

Note: Make sure you open the firewall of the Decoder or Log Decoder to establish connection with the Logstash. For more information, see "Network Architecture and Ports" in Deployment Guide for RSA NetWitness.

You must configure the Logstash configuration file to process the NetWitness events. Create a Logstash configuration file and add the NetWitness Export Connector plugin parameter settings for event processing. Save the file as netwitness- -input.conf. After adding the NetWitness Export Connector plugin parameter settings, place the configuration file in /etc/logstash/conf.d/ location.

A Logstash configuration file can have three separate sections for each type of plugin that you want to add to the event processing pipeline. The first section is for Input plugin (NetWitness Export Connector), the second section is for Filter plugin (optional) and the third section is for Output plugin.

To configure the NetWitness Export Connector plugin, add the parameter settings in the first section the Logstash configuration file.

For multiple pipelines configuration, see Multiple Pipelines Configuration documentation.

The configuration of each NetWitness Export Connector plugin must consist of the plugin name followed by a block of parameter settings for that plugin. If the NetWitness Export Connector has multiple plugins with block of parameters, they are applied in the order of their appearance.

The following is an example of NetWitness Export Connector with one plugin instance with block of parameter settings which fetches data from a single decoder .

input {
netwitness {
host => " " # Mandatory
username => “ " # Mandatory
password => " " # Mandatory
decoder_type => "logdecoder" # Mandatory
}
}

The following is an example of NetWitness Export Connector with two plugin instances with block of parameter settings which fetches data from two different decoders. Each plugin in the configuration is applied in the order as shown.

input {
netwitness {
host => " " # Mandatory
username => “ " # Mandatory
password => " " # Mandatory
decoder_type => "logdecoder" # Mandatory
}
netwitness {
host => " " # Mandatory
username => “ " # Mandatory
password => " " # Mandatory
decoder_type => "logdecoder" # Mandatory
}
}

Note: When configuring the Logstash, you may need to specify sensitive settings such as passwords. You can use the Logstash keystore to securely store secret values instead of file system permissions for using it in configuration settings. For more information, see Logstash keystore Documentation.

Following are the parameters accepted by NetWitness Export Connector.

  • Parameter: host
  • Description: IP address or hostname of the Decoder or Log Decoder (mandatory)
  • Parameter Type:

    String

  • Default Value: N/A

  • Parameter: username
  • Description: Username used to access the Decoder or Log Decoder (mandatory)
  • Parameter Type: String
  • Default Value: N/A

  • Parameter: password
  • Description: Password of the user (mandatory)
  • Parameter Type:

    String

  • Default Value: N/A

  • Parameter: decoder_type
  • Description: Accepts only 'decoder' or 'logdecoder' (mandatory)
  • Parameter Type: String
  • Default Value: N/A

  • Parameter: ssl_enable
  • Description: Enable SSL connection between the Decoders and the NetWitness Export Connector. For more information, see Configure SSL
  • Parameter Type:

    Boolean

  • Default Value: false

  • Parameter: ssl_certificate_path
  • Description: Path of the CA certificate that is used for SSL and Trusted Connections
  • Parameter Type:
  • Default Value: /etc/pki/nw/trust/truststore.pem

  • Parameter: ssl_certificate_password
  • Description: Password of the certificate in use. Mandatory if SSL is enabled
  • Parameter Type:

    String

  • Default Value: N/A

  • Parameter: ssl_client_certificate_path
  • Description: Client's SSL certificate
  • Parameter Type:
  • Default Value: /etc/pki/nw/node/node-cert.pem

  • Parameter: ssl_version
  • Description: Version of the SSL connection
  • Parameter Type: String
  • Default Value: TLSv1.2

  • Parameter: plugin_metrics_enable
  • Description: Enables metrics reporting to Elastic (New Health and Wellness), for more information see Health and Wellness
  • Parameter Type:

    Boolean

  • Default Value: false

  • Parameter: elastic_host
  • Description: IP address or hostname of the Elastic host. Mandatory if plugin metrics is enabled
  • Parameter Type: String
  • Default Value: N/A

  • Parameter: elastic_port
  • Description: Port number of the Elastic host
  • Parameter Type:

    String

  • Default Value: 9200

  • Parameter: elastic_username
  • Description: The username that is used to access the Elastic host. Mandatory if plugin metrics is enabled
  • Parameter Type: String
  • Default Value: N/A

  • Parameter: elastic_password
  • Description: The password that is used to access the Elastic host. Mandatory if plugin metrics is enabled
  • Parameter Type:

    String

  • Default Value: N/A

  • Parameter: meta_include
  • Description: Aggregates only the meta keys that are added in this parameter setting. Accepts comma separated values (csv) format
  • Parameter Type: String
  • Default Value: nil

  • Parameter: meta_exclude
  • Description: Excludes the meta keys that are added in this parameter setting from aggregation. Accepts comma separated values (csv) format
  • Parameter Type:

    String

  • Default Value: nil

  • Parameter: start_session
  • Description: Session from which the aggregation starts. Setting the value to 0 starts the aggregation from last.session.id in the Decoder
  • Parameter Type: Number
  • Default Value: 0

  • Parameter: export_log
  • Description: Includes the raw log with the meta in the session (applicable only for Log Decoder aggregation)
  • Parameter Type:

    Boolean

  • Default Value: false

  • Parameter: aggregate_sessions
  • Description: Number of sessions ingested in a batch from the Decoders
  • Parameter Type: Number
  • Default Value: 1000

  • Parameter: aggregation_interval
  • Description: Time interval (in milliseconds) between two event cycles
  • Parameter Type:

    Number

  • Default Value: 1000

  • Parameter:

    prefetch_count

  • Description:

    Controls the number of batches to be pulled into the buffer that is available for the plugin to collect

  • Parameter Type: Number
  • Default Value:

    2


  • Parameter: compression
  • Description: The number of bytes in each message before message is compressed. Setting the value to '0' does not allow compression. Ranges between 0 to 131071
  • Parameter Type:

    Number

  • Default Value: 0

  • Parameter: compression_level
  • Description: The level of compression. Ranges between 0 to 9 where 1 is fastest and 9 has the better compression. A value of 0 selects the best balance between speed and compression
  • Parameter Type: Number
  • Default Value: 6

  • Parameter: buffer_size
  • Description: Controls the number of records that the stream in the buffer before it is ingested
  • Parameter Type:

    Number

  • Default Value: 40000

  • Parameter:

    position_tracking_path

  • Description:

    Path where the last consumed session id is stored. Default storage location is /var/lib/logstash. For more information, see Position tracking and start session

  • Parameter Type: String
  • Default Value:

    /var/lib/logstash


  • Parameter: custom_meta_config_path
  • Description: Path to the custom multivalued meta configuration file. For more information, see Configuring Custom Multi-valued Meta
  • Parameter Type:

    String

  • Default Value: nil

  • Parameter: Query
  • Description: Takes any NetWitness Platform query as Input

    Note: Only Indexed meta key must be the part of the query. For example, select * where device.type = 'rhlinux'

  • Parameter Type: String
  • Default Value: Select *

Position tracking and start sessionPosition tracking and start session

Position tracking or bookmarking is used to track the sessions that are aggregated by logstash and sent to the consumer. Position tracking initiates automatically and updates the tracking file every 60 seconds in the path mentioned in position_tracking_path parameter in the configuration file. The file consists of two parts [sessionid,timestamp]. Default location is /var/lib/logstash, if it is not mentioned in the configuration file.

The start_session parameter accepts a number (long: primitive datatype) and indicates which is the first sessionid the plugin should request from its corresponding source. if the start_session parameter is not mentioned in the configuration file or if the value is mentioned as 0, the first session requested by the plugin will be the last.session.id + 1, last_session_id as in the decoder's REST API /database/stats/last.seesion.id.

if the position tracking file exists for a source and start_session is not configured or the start_session is set as value 0, the plugin with initiate aggregation from the sessionid indicated in the position tracking file.

if the position tracking file exists for a source and the start_session is set as non-zero value, the start_session value will take precedence over the position tracking file. The plugin will request from the session mentioned in the start_session parameter onwards.

  • Column 1:
  • Column 2: