How to Configure NetWitness Respond Service Retention using Explore and nw-shell

Issue

NetWitness Respond retention configuration is necessary to avoid the database growing larger with all Incidents and Alerts.

Resolution

Please configure the retention settings using Respond->Explore page rsa_nw_11.5_respond_config_guide Page 60 .
Please configure the retention settings using nw-shell command.

1. Login to NwServer putty and run below commands.

 root@SA ~]#
  nw-shell
 
RSA Netwitness Shell. Version: 7.10.0-SNAPSHOT
 
See "help" to list available commands, "help connect" to get started.
 
offline »
  login
 
user: 
 admin
 
password: **************
 
admin@offline » 
 connect --service respond-server
 
INFO: Connected to respond-server (XXX-XXX-XXX-XXX-XXX)
 
admin@respond-server:Folder:/rsa »
  cd respond/dataretention
 
admin@respond-server:Folder:/rsa/respond/dataretention » 
 ls
 
enabled Configuration
 
execution-hour Configuration
 
frequency Configuration
 
retention-period Configuration

2. Based on requirement, Set the retention as below. When this retention period reaches, the older Incidents and Alerts will roll over from Mongo database.

 admin@respond-server:Folder:/rsa/respond/dataretention » 
 cd retention-period
 
admin@respond-server:Configuration:/rsa/respond/dataretention/retention-period » 
 get .
 
"90 DAYS"
 
admin@respond-server:Configuration:/rsa/respond/dataretention/retention-period » 
 set 30d
 
admin@respond-server:Configuration:/rsa/respond/dataretention/retention-period » 
 get .
 
"30 DAYS"
 
admin@respond-server:Configuration:/rsa/respond/dataretention/retention-period » 
 set 60d
 
admin@respond-server:Configuration:/rsa/respond/dataretention/retention-period » 
 get .
 
"60 DAYS"

3. By default, the retention settings will be off and this has to be enabled using below.

 admin@respond-server:Folder:/rsa/respond/dataretention » 
 cd enabled
 
admin@respond-server:Configuration:/rsa/respond/dataretention/enabled » 
 get .
 
false
 
admin@respond-server:Configuration:/rsa/respond/dataretention/enabled » 
 set true
 
admin@respond-server:Configuration:/rsa/respond/dataretention/enabled » 
 get .
 
true

4. By default, the retention settings will check every 24 hours to see if rollover required.

 admin@respond-server:Folder:/rsa/respond/dataretention » 
 cd frequency
 
admin@respond-server:Configuration:/rsa/respond/dataretention/frequency » 
 get .
 
"24 HOURS"

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: NetWitness Respond
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This document outlines the procedure to configure Retention settings.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue