Screenshots:
Status information - Collection Metrics
Status information - Sessions over time
New App:
This app pulls all sessions from the NetWitness device, if you are looking for an app that only pulls certain sessions based on a query criteria, please look at the app ****
Windows Users:
- Please make sure you change the LAST_SID_FILE path or application will fail.
ISSUE: SSL not working out of the box
- Summary: Python's default urllib2 and SSL libraries used by the app are hard-coded to only negotiate SSLv23 with servers, however in order to be FIPS compliant the NW services only accept TLS connections.
- Full Details/Discussion:
Changes worthy of note:
For all other changes see the CHANGELOG
- Added info to all events All events will now contain the following field rest_host=[rest_host]
- [rest_host] is extracted from TOP_URL_LEVEL from :// to :
- Works best in conjunction with the multiple config file feature as it will identify the device where the meta is collected
- Allow user to specify 'nwsdk' configuration file name as an argument to allow for multiple instances of data collection
- It allows users to specify multiple inputs on inputs.conf while selecting a different configuration file, it can be used to connect to concentrators directly on larger environments where brokers aren't available or can't be used
- If none is specified 'nwsdk.conf' will be used by default, otherwise specify only the name and omit extension, the file should be a .conf file under ../local/
- Not fully documented on README yet, please e-mail me if you think you need to use it and I will assist.
- Using summary indexing for Dashboards
- Created Saved Searches to Support summary index based dashboards
- Changed APP dashboard to show "Skipped" sessions instead of duplicates (mostly these are false-positives)
Contents:
Views (shared globally):
- Splunk for NetWitness App Status (errors, duplicate sessions, etc...)
- HTTP traffic statistics based on NetWitness data
- SMTP traffic statistics based on NetWitness data
- DNS traffic statistics based on NetWitness data
- All (services) traffic statistics based on NetWitness data
- OTHER service traffic statistics based on NetWitness data
- Forensic Fingerprint statistics based on NetWitness data
Lookup added (shared globally):
- Lookup for service number to name conversion
- Usage: | lookup lookup_service service OUTPUT service_alias as service_alias
Older versions:
Major changes include:
- BUG FIX: Made the trailing "/" on the rest_host extraction optional, app would crash if the trailing "/" was missing (User reported issue)
- BUG FIX: Added "&expiry=0" to all queries to fix possible HTTP timeouts (User reported issue)
- BUG FIX: Changes in NetWitness 9.8 (and other late releases) break the script. MAC Addresses are no longer returned as integers and are now returned as strings, the script was expecting an int and not doing proper error checking. It should now handle both cases.
- You can check if you are affected with the following search
index=_* nwsdk.py sourcetype="splunkd" "int()"
- BUG FIX: Check last session id processed on each batch to make sure is as expected if not force correction (can cause some data loss)
- BUG FIX: Changed TRUNCATE to 0 in props.conf as some lines are greater than 10000 and were being broken incorrectly
- BUG FIX: Converted all meta field names to lower case to avoid problems with timestamp parsing
- BUG FIX: Processing stats were calculated wrong for the initial run (when LAST_SID_FILE is missing)
- Added code to read in custom/additional mappings from nwsdk.conf under [mappings] section (based on customer feedback)
- BUG FIX: When reading "NO_SID_FILE_OPTION" from nwsdk.conf it wasn't being properly converted to an integer
- BUG FIX: SMTP view wasn't parsing attachment names correctly when these contained spaces
- BUG FIX: SessionIDs were being sorted as string instead of integer causing data duplication