This Splunk app will connect to a NetWitness Devices via REST API. It will poll the Netwitness device(s) regularly to collect device stats.
The following Splunk search will provide any relevant error logs for this app:
index=_* nwadmin.py sourcetype="splunkd"
Make sure the REST interface is enabled on your RSA Netwitness device.
NOTE: Versions prior to 0.7 - SSL access to the REST interface requires the use of a hack
Please see http://splunk-base.splunk.com/answers/40255/does-splunk-for-netwitness-support-ssl-access-to-the-rest-api for more details
To troubleshoot connections to your RSA Netwitness device use, you can use any browser.
The configuration of log portion of this app is based on Splunk's native configuration settings. There's an example below but it won't necessarily apply to all environments. The only mandatory setting is "sourcetype=netwitness_log". For mode details see the How-to PDF included with the app
# [monitor:///var/log/netwitness.log]
# sourcetype = netwitness_log
Make sure you place it in $APP_HOME/local/nwadmin.conf to avoid overwrite during app upgrades:
# [<unique reference used for logging of app messages>]
# protocol=(http|https)
# server=<ip/hostname of device>
# port=<device port>
# type=(appliance|broker|concentrator|decoder)
# username=<username>
# password=<password>
You can have as many of these instances as needed, normally two per device (appliance + service) as per example below:
[decoder-12]
protocol=http
server=192.168.1.12
port=50104
type=decoder
username=admin
password=netwitness
[appliance-12]
protocol=http
server=192.168.1.12
port=50106
type=appliance
username=admin
password=netwitness
For more examples see nwadmin.conf in $APP_HOME/default/
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.