This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

customize feed ip address only reference to ip.src or ip.dst

Go to solution
huanzhou1
Beginner
Beginner

‎2014-01-20 10:45 AM

we're using SA for log, we identified a few devices(device.ip meta) which we want to use feed, tried to create the feed using csv (without xml definition), but there is no values, checked the documents, seems it can only reference to ip.src or ip.dst? how to make it refrence to device.ip?

 

Or is there any steps missing?

 

Below is the sample csv:

192.168.0.1,firewall1

192.168.0.2,firewall2

192.168.0.3,firewall3

 

Thank you.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
huanzhou1
Beginner
Beginner

‎2014-01-20 11:34 AM

i got it work by using call back device.ip, so it's correct the ip address only index for ip.src and ip.dst.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
huanzhou1
Beginner
Beginner

‎2014-01-20 11:34 AM

i got it work by using call back device.ip, so it's correct the ip address only index for ip.src and ip.dst.

0 Likes

Go to solution
Anonymous
Not applicable
In response to huanzhou1

‎2014-02-04 02:34 PM

Awesome, I was looking for something exactly like this.  Essentially making a /etc/hosts file out of a feed.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2014-06-17 04:30 AM

this is interesting but I did not get how this can be achieved.

i wonder how to perform the "call back device.ip" on the custom feed?

0 Likes

Go to solution
Juliensinson1
Beginner
Beginner

‎2016-04-05 05:42 AM

Hello,

 

I try to create a custom feeds with metacallback for tell device.ip but i can't do it.

 

You can tell me how are you doing for that please ? Because my CSV and xml don't work and i don't find the reason

 

i post this question on forum How create a custom feed with "device.ip" (MetaCallback) but i explain the case :

 

My custom meta work with another feed. But Only meta "ip.src" or "ip.dst" is considerate for the indexation with a feed on CIDR. I read in forum or RSA documentation that custom xml with "metacallback" attribut allows to select another meta for indexing, but I can't ...

 

May be is my xml file or a bad practice ? I try 2 xml with <MetaCallback> but nothing. What do you think, Can you help me please ?

 

- My meta is in "index-concentrator-cutom"

pastedImage_2.png

- My XML and my CSV File :

pastedImage_3.png

or i try like that :

pastedImage_4.png

- My CSV :

pastedImage_5.png

 

- I have restart the nwconcentrator service but nothing :

pastedImage_6.png

 

thank for your read

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.