Leonard Chvilicek

How To Replay Logs in RSA NetWitness

Blog Post created by Leonard Chvilicek Employee on Mar 28, 2018

NwLogPlayer is a log replay utility that is available for RSA NetWitness Logs. This utility reads a log event text file that you have created by exporting the logs from Investigation. The first question that comes to mind is "Why would I want to do that?". There are three typical reasons why I use it. First, is when you are developing ESA rules and you need a specific set of crafted events to reproduce your conditions for your alert. Second, is when you are developing a custom parser for those "unknown" device types. Third, is when you have a system that is a lab or development system that does not have an event source or the event source that you need.  I actually prefer to use an isolated lab/development system that has no other log sources other than what I replay to do my development work.  This way I can accurately track my replayed events vs my parsed events, so 100 replayed events should equal 100 parsed events.

 

To use the utility, all you need to do is install it on the system that you want to run it from. This can be any system in the NetWitness Logs stack. I typically use the Log Decoder, as it the system I am working with the most. If the total space of the log sample files are not very large (less than 100M total), I just create a "/root/logsamples" directory and put them there, then delete them when I am finished. If I am working with large log sample files, I create a "/var/netwitness/warehouseconnector/logsamples" directory as the warehouseconnector is not typically used on most Log Decoders unless you're exporting data to a Hadoop environment.

 

Installation

NetWitness 10.x

To Install NwLogPlayer:

  1. SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
  2. Type "yum install nwlogplayer"
  3. Type "y" to install
  4. Press "Enter"

 

NetWitness 11.x

To Install NwLogPlayer:

  1. SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
  2. Type "yum install rsa-nw-logplayer"
  3. Type "y" to install
  4. Press "Enter"

 

To use NwLogPlayer:

  1. Upload your Log sample text files to your sample directory on system that you installed NwLogPlayer
  2. SSH into system that you installed NwLogPlayer
  3. Type "NwLogPlayer --file <Your Sample Log Text file> --server <Log Decoder IP or FQDN>"

 

Examples 

Target and Destination:

Path = "/root/logsamples"
Log Sample File = "ESA-Alert-Firing-Sample.txt"
Virtual Log Collector = "VLC60.local"

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local

The above example will send logs to destination with the device IP being the system you ran the command from.

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local --ip 10.1.1.1 -r4

The above example will send logs to destination with the device IP of 10.1.1.1.

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local --rate 100 --ip 10.1.1.1 -r4

The above example will send logs to destination with the device IP of 10.1.1.1 at the rate of 100 EPS.

 

NwLogPlayer command line syntax:
--priority argset log priority value
-h [ --help ]how this message
-f [ --file ] arg (=stdin)input file
-d [ --dir ] arginput directory
-s [ --server ] arg (=localhost)remote server
-p [ --port ] arg (=514)remote port
-r [ --raw ] arg (=0)Determines raw mode. 1= File contents will be copied line by line to the server. 0 = add priority mark. 3 = auto detect. 4 = envision stream. 5 = binary object. 6 = protobuf stream
-m [ --memory ] argSpeed test mode. Reads up to MB of messages from the file contents and replays.
--rate argNumber of events per second. No effect if rate > eps which program can achieve at continuous mode
--maxcnt argmax number of messages to be sent
-c [ --multiconn ]multiple connection
-t [ --time ] argsimulate time stamp time. Format as yyyy-m-d-hh:mm:ss
-v [ --verbose ]if true will verbose output
--ip argsimulate ip tag.
--devicetype argsimulate device type. Applies only to envision heades (raw=4).
--cid arg simulate collector id. Applies only to
envision headers (raw=4). (NetWitness 11.x versions)
--sslconnect with SSL
--certdir argOpenSSL certificate authority directory.
--clientcert arguse this PEM-encoded SSL client certificate
--clientkey arguse this PEM-encoded private key file. If not specified the clientcert path is used.
--udpsend in udp
-g [ --gzip ]treat input stream as compressed gzip
--versionoutput the version of this program

Outcomes