How To Replay Logs in RSA NetWitness

on Mar 28, 2018

Like • Show 8 Likes8
Comment • 18

NwLogPlayer is a log replay utility that is available for RSA NetWitness Logs. This utility reads a log event text file that you have created by exporting the logs from Investigation. The first question that comes to mind is "Why would I want to do that?". There are three typical reasons why I use it. First, is when you are developing ESA rules and you need a specific set of crafted events to reproduce your conditions for your alert. Second, is when you are developing a custom parser for those "unknown" device types. Third, is when you have a system that is a lab or development system that does not have an event source or the event source that you need. I actually prefer to use an isolated lab/development system that has no other log sources other than what I replay to do my development work. This way I can accurately track my replayed events vs my parsed events, so 100 replayed events should equal 100 parsed events.

To use the utility, all you need to do is install it on the system that you want to run it from. This can be any system in the NetWitness Logs stack. I typically use the Log Decoder, as it the system I am working with the most. If the total space of the log sample files are not very large (less than 100M total), I just create a "/root/logsamples" directory and put them there, then delete them when I am finished. If I am working with large log sample files, I create a "/var/netwitness/warehouseconnector/logsamples" directory as the warehouseconnector is not typically used on most Log Decoders unless you're exporting data to a Hadoop environment.

Installation

NetWitness 10.x

To Install NwLogPlayer:

SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
Type "yum install nwlogplayer"
Type "y" to install
Press "Enter"

NetWitness 11.x

To Install NwLogPlayer:

SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
Type "yum install rsa-nw-logplayer"
Type "y" to install
Press "Enter"

To use NwLogPlayer:

Upload your Log sample text files to your sample directory on system that you installed NwLogPlayer
SSH into system that you installed NwLogPlayer
Type "NwLogPlayer --file <Your Sample Log Text file> --server <Log Decoder IP or FQDN>"

Examples

Target and Destination:

Path = "/root/logsamples"
Log Sample File = "ESA-Alert-Firing-Sample.txt"
Virtual Log Collector = "VLC60.local"

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local

The above example will send logs to destination with the device IP being the system you ran the command from.

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local --ip 10.1.1.1 -r4

The above example will send logs to destination with the device IP of 10.1.1.1.

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local --rate 100 --ip 10.1.1.1 -r4

The above example will send logs to destination with the device IP of 10.1.1.1 at the rate of 100 EPS.

NwLogPlayer command line syntax:

--priority arg	set log priority value
-h [ --help ]	how this message
-f [ --file ] arg (=stdin)	input file
-d [ --dir ] arg	input directory
-s [ --server ] arg (=localhost)	remote server
-p [ --port ] arg (=514)	remote port
-r [ --raw ] arg (=0)	Determines raw mode. 1= File contents will be copied line by line to the server. 0 = add priority mark. 3 = auto detect. 4 = envision stream. 5 = binary object. 6 = protobuf stream
-m [ --memory ] arg	Speed test mode. Reads up to MB of messages from the file contents and replays.
--rate arg	Number of events per second. No effect if rate > eps which program can achieve at continuous mode
--maxcnt arg	max number of messages to be sent
-c [ --multiconn ]	multiple connection
-t [ --time ] arg	simulate time stamp time. Format as yyyy-m-d-hh:mm:ss
-v [ --verbose ]	if true will verbose output
--ip arg	simulate ip tag.
--devicetype arg	simulate device type. Applies only to envision heades (raw=4).
--cid arg	simulate collector id. Applies only to envision headers (raw=4). (NetWitness 11.x versions)
--ssl	connect with SSL
--certdir arg	OpenSSL certificate authority directory.
--clientcert arg	use this PEM-encoded SSL client certificate
--clientkey arg	use this PEM-encoded private key file. If not specified the clientcert path is used.
--udp	send in udp
-g [ --gzip ]	treat input stream as compressed gzip
--version	output the version of this program

Outcomes

Saket Bajoria

Oct 10, 2016 10:18 AM

Hi Leo,

I am sure this will be helpful to end-users. Just want to add that often times you want to replay logs as certain IP address so that you can easily look for it in the Investigation screen. We had this question from a customer very recently:

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local --ip 1.1.1.1 --r 4

Here the flag r=4 will make the decoder interpret the log with a relay header and will take the ip=1.1.1.1 as the device.ip and the actual IP of the machine will go into forward.ip

4 people found this helpful