|Applies To||RSA Product Set: RSA NetWitness Platform, RSA NetWitness Logs & Network, NetWitness Logs and Packets, Security Analytics, NetWitness NextGen (Legacy)|
RSA Product/Service Type: Head Unit / NetWitness Server, Network/Packet Decoder, Log Decoder, Log Collector, Concentrator, Broker, Network/Packet Hybrid, Log Hybrid, SA All-in-One, Archiver, Event Stream Analysis (ESA), Malware Analysis (MA), NetWitness NextGen (Legacy), UEBA, Warehouse, Warehouse Connector
RSA Version/Condition: 9.8, 10.1, 10.2, 10.3.x, 10.4.x, 10.5.x, 10.6.x, 11.x
O/S Version: 5, 6, 7
|Resolution||Current Script Version: 2019.09.27|
- Download the latest nwtech.sh script version linked in this solution. Do not open it in a text editor and save as this may corrupt the script. (Refer to the knowledge base article Error message '/bin/bash^M: bad interpreter: No such file or directory' when running an RSA NetWitness script for additional information.)
- Using an scp utility (e.g. Winscp, scp, pscp etc.), transfer the script to your NetWitness host's /root directory.
PLEASE COPY THIS FILE TO YOUR APPLIANCE USING SCP RATHER THAN USING A WINDOWS TEXT EDITOR, AS SOME WINDOWS TEXT EDITORS DO NOT HANDLE UNIX LF'S CORRECTLY, THUS UNEXPECTED RESULTS COULD OCCUR.
- To display help for the script, execute "./nwtech.sh -h".
- Change permissions on the file to make it executable by running from an ssh session "chmod +x nwtech.sh"
- Execute the script by running "./nwtech.sh -p" or "./nwtech.sh username password". The "-p" option will prompt you for username and password. Providing the credentials on the command line is less secure but if your password contains certain special characters you may have to run the script this way and enclose the password in 'single quotes'. The correct credentials for your appliance services, i.e. the Decoder, Concentrator, or Broker credentials you would enter in Administrator, and not your operating system credentials, i.e. not what you use to login via SSH. Unless -i is selected, the script may terminate if a service login failure occurs.
Note: The script will generate an output file called 'nwtech-<dateandtime>.tar.bz2' - the complete filename will be listed at the end of the script's output.
- scp the output file back to your PC and either attach it to your open NetWitness support case or upload to a secure FTP site such as How to upload files onto the RSA Secure FTP (SFTP) site for review by Customer Support .
- The 3 most commonly used options are:
./nwtech.sh username password
Usage: ./nwtech.sh username password [-s] [-ss] [-i] [-a] [-k] [-b] [-e]
Usage: ./nwtech.sh -p [-s] [-ss] [-i] [-a] [-k] [-b] [-e]
Usage: ./nwtech.sh -d [-k] [-b] [-e]
* Passwords supplied from command line containing certain special characters like # may need to be placed within 'single quotes' e.g. 'pass#word'
* It may also be necessary to upgrade to at least NextGen 126.96.36.199/188.8.131.52 due to a defect in handling passwords containing special characters.
* Special characters include: " # $ & ( ) * ' \ ` ~
* Passwords may not contain certain characters such as space & -
* There is a 17 character password limit.
-p Prompt for service credentials separately instead of entering username & password via command line. This MUST be specified as the first parameter.
-d Only run disk commands. Do nothing else. This MUST be specified as the first parameter. Do not enter a username and password on the command line.
-s Login to services using SSL. Use this option if your services have SSL enabled.
-ss Prompt for SSL separately for each service. Use this if not all services have SSL enabled.
-n If NetWitness 11.x, don't include sosreport.
-i Ignore failed login attempts and continue. Note: If a service login fails then the output file will NOT contain service exports such as service logfiles and service stats.
-a Grab ALL /var/log/messages* files, not just active logfile and don't truncate service logs.
-k Keep script output beneath current directory and do not compress. Cannot be used with -b or -e switches
-b Use bz2 compression if '7za' command is present (7zip compression is default if '7za' is installed).
-e Encrypt payload using RSA NetWitness Support PGP public key (firstname.lastname@example.org). You may be prompted to add the key to your GPG keyring. The unencrypted output file will not be deleted. Cannot be used with -k.
Please see changelog file referenced in notes for further details.
For RSA NetWitness 11.x you can also use sosreport to collect evidence - see KB #000036657 - Running SOS on RSA NetWitness Version 11.x
|Notes||You may submit files larger than 25MB by referring to the knowledge base article RSA NetWitness Technical Support script (nwtech.sh) output is too large to upload to a Salesforce case.|
For versions >= 10.4.x and if the -p parameter is used, once successful authentication is achieved using one of the following important services then the rest of the services will attempt to authenticate using the puppet trust model.
The services considered important are:
- Log Decoder
- Log Collector
Click here to download the latest version of the nwtech.sh script.
Click here to view the Changelog for the nwtech.sh script.
Click here to download the curl-7.18.1-1.fc9.x86_64.rpm package for Fedora Core 9.