How to run the NwCheckpointProcess Check Point collection service from LogCollector CLI

Issue

How to run the Check Point collection service from the command line for troubleshooting on a NetWitness Log Collector.

Resolution

The NwCheckpointProcess program is used by the NwLogCollector to collect events from Checkpoint servers using the OPSEC LEA API. It can also be used as a command-line utility to probe a Checkpoint server, verifying connectivity and debugging connection problems. The following is an example of the syntax:

 /usr/sbin/NwCheckpointProcess --ip 192.168.1.1 --name Test --port 18184 --sdn CN=MyCheckpoint,o=test.lab.org --cdn CN=enVision_OPSEC,o=test.lab.org --cen enVision_OPSEC --kfp /etc/netwitness/ng/truststore/MyCertificate.p12 --count 10 --time 120 --timeout 30

There are some options to the NwCheckpointProcess that have no value. The presence of the option causes a configuration action. For example, to show the log files on the server, the following would be entered:

 NwCheckpointProcess --showlogs

If you are unsure of any of the steps above or experience any issues, contact https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897 and quote this article ID for further assistance.

Notes

The text below is an example of the NwCheckpointProcess --help output.

 General:
 
 --help show help
 
 --debug verbose output for Nw Checkpoint Process
 
 --odebug verbose output for OPSEC LEA protocol
 
 --config arg configuration file
 
Required:
 
 --name arg checkpoint server name
 
 --ip arg checkpoint server ip
 
 --port arg server port
 
 --sdn arg server distinguished name
 
 obtained from the Checkpoint Management Console
 
 For example:
 
 cn=cp_mgmt,o=cpfw.cpfw.abc.net.ckbe7u
 
 --cdn arg client distinguished name
 
 this is obtained from the Checkpoint Management Console
 
 For example:
 
 CN=NEXTGEN1,O=cpfw.cpfw.abc.net.ckbe7u
 
 --cen arg client entity name
 
 obtained from the Checkpoint Management Console when
 
 creating the client
 
 --kfp arg key file path (obtained by using the utility
 
 opsec_get_key
 
Optional:
 
 --audit Read the audit records
 
 --online Continue to read the next log file when the end of the
 
 current one is reached
 
 --offline Stop reading when the end of the current log file is
 
 reached
 
 --timeout arg Time period (seconds) in which if no events are
 
 collected, the session is ended
 
 --count arg Events to collect before ending the session
 
 --time arg Time to collect (seconds) before ending the session
 
 --file arg The file id to read from
 
 --log arg The log file name to read from
 
 --record arg The record to start reading from
 
 --start Start reading from the start of the file
 
 --end Start reading from the end of the file
 
 --showlogs Show logs on checkpoint server
 
 --showfiles Show files on checkpoint server
 
 --pretty Format event output
 
 --forwarder forwarding i.e. replace *deviceAddr with orig or
 
 reverse lookup of orig_name if it exists

Product Details

Product Set: NetWitness Logs & Network
Product/Service Type: Log Collector
Version/Condition: 10.x, 11.x, 12.x

Approval Reviewer Queue

Technical approval queue