NetWitness Community

can you find any document from internal?

I don't have any, I don't work for  EMC/RSA

Just sharing my experience on SA/Envision. I gave quite a full overview of the process - just restart the decoder services after you upload the files. Also there's a document about ESI on SCOL.

Only has document on ESI, not on how to integrate with SA.

Also for SA, only documents is docs.netwitness.com which is very limited.

Yes, I know - can't do nothing about that.

So you should make event source package using ESU and docs from SCOL. After that you can deploy the xml and ini (located in your package e.g. yourdevice\update_content\etc\devices\yourdevice) file on log decoder:

1) Copy ini and xml from event source package to newly created folder in /etc/netwitness/ng/envision/etc/devices on SA log decoder

2) Make sure you used content 2.0 and have your new file's names in lowercase

3) Restart decoder services

That's it

Yes,i got it.

I manually modified the xml file, now it shows as parser.

How can ESI do below step?

----------------------------

2) the parser content should be 2.0

-----------------------------------

You should apply ESU (event source update) - client side to get the 2.0 tables in ESI. The ESU docs have the list of 2.0 tables.

You will get SA meta only for 2.0 tables.

Thanks a lot. Downloading now. Will try out.

The result xml(testing.xml) is not v20, i checked /etc/netwitness/ng/envision/etc/devices/aix, the xml file name is v20_pixmsg.xml, how to make it v20?