NetWitness Community

MohdSaadKhan · ‎2016-03-17

I have created a feed for the department but it is getting populated under my custom meta, the csv file is in format :

can anyone tell is it right or wrong and if it is wrong then what is right format.

jeffshurtliff · ‎2016-03-19

Hi Mohd,

It sounds like you may need to add or modify the dept.src meta in the /etc/netwitness/ng/index-concentrator-custom.xml file on the Concentrator that is consuming from your Decoder. Take a look at KB article 000026955 for more information about doing this.

Thanks,

Jeff Shurtliff, CISSP

Sr Social Engagement Manager

RSA, The Security Division of EMC

View solution in original post

Anonymous · ‎2016-03-17

What do you mean it is populated under your custom meta? The format should be fine as you get to define where the custom feeds go.

If you are doing source ip and dest IP, you will need two custom feeds. Then set column one as the index on ip.src or ip.dst and inject the 2nd column to whatever meta you want.

MohdSaadKhan · ‎2016-03-18

I have uploaded feed ip with its department and department under meta dept.src(custom meta). But while investigating the particular ip I am not getting any value in dept.src meta. It is showing: dept.src(Not Indexed)

jeffshurtliff · ‎2016-03-19

Hi Mohd,

It sounds like you may need to add or modify the dept.src meta in the /etc/netwitness/ng/index-concentrator-custom.xml file on the Concentrator that is consuming from your Decoder. Take a look at KB article 000026955 for more information about doing this.

Thanks,

Jeff Shurtliff, CISSP

Sr Social Engagement Manager

RSA, The Security Division of EMC

MohdSaadKhan · ‎2016-03-19

Thanks Jeff for sharing the link for the document of feed. I successfully created all feeds and they are working.

MohdSaadKhan · ‎2016-03-19

Hi

I am just stucked into another issue related to feed i.e.

As I want to map device.ip to its department but it is mapped to ip.src and ip.dst.

How can I change this as on above field at feed.callbacks I am unable to change this value

MohdSaadKhan · ‎2016-03-21

Do any one have idea on this?

MohdSaadKhan · ‎2016-03-22

I have resolved this case by taking Non ip in the feed upload and selected desired callback meta.

Thanks All

Juliensinson1 · ‎2016-03-31

Hello Mohd, jeff,

Sorry she's resolved but i'm interested by your discussion.

I try to create a feed with CIDR type index column and the "device ip" on meta callback but she does not work.

Only "ip.src" and "ip.dst" work with a CIDR feed...

how did you do it Mohd ? You are realy take a Non IP type in your feed configuration and it work with CIDR information in your CSV ?

May be is my xml file or a bad practice ? I try 2 xml with <MetaCallback> but nothing. What do you think, Can you help me please ?

- My meta is in "index-concentrator-cutom"

- My XML and my CSV File :

or i try like that :

- My CSV :

- I have restart the nwconcentrator service but nothing :

MohdSaadKhan · ‎2016-04-01

Hi Julien,

The link given by jeff was enough to get the custom meta in the SA environment. You can check that link for the changes @ decoder, concentrator and broker respectively followed by restarting the services.

Secondly I haven't use CIDR notation in the CSV so I am not sure about that but can try it. Also I haven't used the CSV format which you are using. I have used this without any comma and all(created in excel and saved it as .csv) like below;

I will try in my practice setup about CIDR in non ip and will inform you accordingly.

NetWitness Community

csv format for feed?