Skip to content
  • There are no suggestions because the search field is empty.

How to start and stop capture or aggregation on RSA NetWitness appliance using NwConsole

Issue

How to start and stop capture and aggregation on RSA NetWitness appliances using NwConsole.
How can I stop and start aggregation on my concentrator, archiver, or broker appliance from the command line?
What is the method for stopping and starting capture on my decoder or log decoder device from NwConsole?

Tasks

NwConsole is a utility that can be used to communicate to a core service as if you were using the UI or the explore view. This is a command-line alternative to executing commands.


Resolution

The following commands may be used to start and stop aggregation or capture on RSA NetWitness core appliances using NwConsole. They rely on you knowing the service level passwords for the users. These service-level users exist on the View > Security tab for each of the core services.

  • Column 1: Task
  • Column 2: Appliance
  • Column 3: Command

  • Column 1: Start Capture
  • Column 2: Decoder
  • Column 3: NwConsole -c login localhost:50004 -c send /decoder start

  • Column 1:
  • Column 2: Log Decoder
  • Column 3: NwConsole -c login localhost:50002 -c send /logdecoder start

  • Column 1: Stop Capture
  • Column 2: Decoder
  • Column 3: NwConsole -c login localhost:50004 -c send /decoder stop

  • Column 1:
  • Column 2: Log Decoder
  • Column 3: NwConsole -c login localhost:50002 -c send /logdecoder stop

  • Column 1: Start Aggregation
  • Column 2: Concentrator
  • Column 3: NwConsole -c login localhost:50005 -c send /concentrator start

  • Column 1:
  • Column 2: Broker
  • Column 3: NwConsole -c login localhost:50003 -c send /broker start

  • Column 1:
  • Column 2: Archiver
  • Column 3: NwConsole -c login localhost:50008 -c send /archiver start

  • Column 1: Stop Aggregation
  • Column 2: Concentrator
  • Column 3: NwConsole -c login localhost:50005 -c send /concentrator stop

  • Column 1:
  • Column 2: Broker
  • Column 3: NwConsole -c login localhost:50003 -c send /broker stop

  • Column 1:
  • Column 2: Archiver
  • Column 3: NwConsole -c login localhost:50008 -c send /archiver stop

  • Column 1: Log Collection
  • Column 2: Log Decoder
  • Column 3: NwConsole -c login localhost:50001 -c send /logcollection/ start

  • Column 1: Log Collection
  • Column 2: Log Decoder
  • Column 3:

     NwConsole -c login localhost:50001 -c send /logcollection/ stop


 

If you are unsure of any of the commands above or experience any issues, contact RSA Support and quote this article ID for further assistance.


Internal Comments

UserName:shurtj
6/30/2014 9:21:00 PM - Corrected Syntax
Corrected syntax of commands.

Product Details

RSA Product Set: NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Broker, Concentrator, Archiver, Log Decoder, Decoder
RSA Version/Condition: 10.6,11.0,11.1, 11.2, 11.3
Platform: CentOS 6, CentOS 7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue