Skip to content
  • There are no suggestions because the search field is empty.

What is NWFL in regards to RSA NetWitness NextGen 9.7?

Issue

What is NWFL in regards to RSA NetWitness NextGen?


Resolution

A. NWFL Basic concepts:

NWFL is a logdecoder that:

1) Captures various device logs on the management interface eth0 and default syslog port 514; in this regard, it is like a standard syslog server;

2) Using envision parser and related device parsers and NWFL application rules to parse the captured logs and generate the normalized log metas;

3) Send the normalized log metas to the concentrator/broker with the proper NWFL meta keys in index-concentrator|broker.xml for indexing and analysis by Investigator or Informer (with proper NWFL tag resources downloaded).
 

There are 2 ways to send various device logs to the NWFL logdecoder:

1) Directly send device logs to NWFL logdecoder hostname|IP:514

2) Send device log to RSA Envision with z-connector configured; configure RSA Envision with z-connector to send collected logs to the NWFL logdecoder.

 

Configuration Of Syslog Clients

To have a client machine send syslog information to the NWFL logdecoder,

modify /etc/syslog.conf.

1)  Add the following lines.

*.*  @NWFL logdecoder IP Address
 

This sends all syslog information to the log decoder.

Sending various services to log decoders

modify /etc/syslog.conf

daemon,auth.info @NWFL logdecoder IP Address

This will send daemon information and authorization information to the syslog service.

2)  Restart the syslog server after making a change

#service syslogd restart
 

NWFL logdecoder uses envision parser and related device parsers to parse captured logs and generate log metas; then NWFL application rules are used to generate additional alert metas to be used by the Informer for reports/charts/alerts.

When NWFL 9.7.5.x is installed properly on the NWFL logdecoder, a directory /etc/netwitness/9.0/envision/etc is created with the following files and sub-directories:

1) table-map.xml: this file maps envision generated metas to NetWitness generated metas. e.g.: envision meta 'dhost' is mapped to NetWitness meta 'alias.host';

2) ecat.ini: this file defines event message categories (ecategory) into friendly names. e.g.: 1401030000 maps to a meta called 'User.Activity.Failed Logins'

3) ipaddr.tab:

4) Devices and various device specific sub-directories: these are device dependent device parsers used by envision parser to parse device specific logs and generate uniformed/normalized NetWitness metas.

for example, /etc/netwitness/9.0/envision/etc/devices/netwitness: contains netwitenss.ini and netwitnessmsg.xml files which define the device parser for parsing NetWitness (Informer only) related logs.

Note: netwitness device parser does not parse NextGen logs.

There is only 1 Network Adapter in NWFL logdecoder in Administrator: log_events,Log Events which should be configured as such (i.e. Adapter field cannot be blank). It captures log traffic on management interface eth0 port 514.

As a result, NWFL log decoder will not be able to use other capture interfaces to capture other types of traffic.

NWFL logdecoder service port is 50002; NWFL log decoder appliance service port is 50006. Corresponding REST service ports are 50102 and 50106.

B. NWFL Configuration Notes:

1) Check iptable firewall enabled ports 50002, 50102, 50006, 50106 and syslog port 514 on INPUT chain;

2) Ensure /etc/netwitness/9.0/envision/etc directory and device/device specific sub-directories and files are present on NWFL log decoder;

3) Login to NWFL log decoder service on port 50002 in Administrator:

  1. under Adapters and Rules - Adapter, ensure Adapter log_events,Log Events is selected;
  2. under Adapters and Rules - App Rules, ensure all NWFL application rules are present and enabled; if not, need to push them from Live Manager client;
  3. under Decoder Settings - Application Parsers, ensure enVision parser and required metas are checked;
  4. under Decoder Settings - Device Parsers, ensure required device parsers are checked;

4) Ensure NWFL logdecoder is capturing and receiving log data.

5) Add NWFL logdecoder to a concentrator:

  1. In concentrator Files view, review index-concentrator.xml file and ensure it has <- These keys are specific to Panorama section with the NWFL meta keys defined. Copy over index-concentrator.xml.rpm_new if needed;
  2. Ensure concentrator is consuming from NWFL log decoder;

6) Now one should be able to login to concentrator remote collection in Investigator to see log related metas;

7) Finally, one can download NWFL tag informer resources from CMS to an informer appliance, connect informer to the concentrator above and then generated log related reports/charts/alerts.


Internal Comments

UserName:bairoa1
6/18/2012 5:18:26 PM - Solution Number 00000609
Solution Number 00000609

UserName:shurtj
8/21/2014 1:10:41 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Product Details

RSA Product Set: NetWitness NextGen
RSA Product/Service Type: ​NetWitness Log Decoder
RSA Version/Condition: 9.7

Approval Reviewer Queue

Technical approval queue