This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

meta key not populated

Go to solution
Anonymous
Not applicable

‎2014-04-30 01:23 PM

Hi every one,

 

i have just integrated mcafee gateway with SA and i am able to see logs on SA but issue is that i am not getting meta key related to site visited by users while i am able to see that site related information in raw logs, is there any way to populate that meta key ?

attaching log file, kindly provide solution if anyone have any idea related to this.@ patriot_3w

Preview file
74 KB
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
huanzhou1
Beginner
Beginner
In response to LeeKirkpatrick

‎2014-05-02 04:47 AM

You're correct.

 

Try below:

 

Change flags /etc/netwitness/ng/envision/etc/table-map.xml

        <mapping envisionName="url" nwName="url" flags="None" envisionDisplayName="URL"/>

 

Add        <key description="URL Links" format="Text" level="IndexValues" name="url" valueMax="500000" /> to index-concentrator-custom.xml

 

Then restart concentrator and jettysrv.

 

Done!

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2014-05-01 06:45 AM

Hi Rajveer,

 

From what I can tell it looks like these URL's are being parsed into a field called "url" within the McAffee GW parser. By default this variable is set to transient in one of the configuration files which means it will not be shown in Investigator. In order to change this, SSH into your Log Decoder and open the following file:

 

vi /etc/netwitness/ng/envision/etc/table-map.xml

 

Search for the following line:

 

<mapping envisionName="url" nwName="url" flags="Transient" envisionDisplayName="URL"/>

 

And change it to:

 

<mapping envisionName="url" nwName="url" flags="None" envisionDisplayName="URL"/>

 

Then restart the nwlogdecoder service or reload parsers using the following command from the SSH console:

 

NwConsole -c login localhost:50002 <user> <password -c decoder/parsers reload

 

 

Give it a little while and see if this fields starts being populated under the URL field.

Go to solution
huanzhou1
Beginner
Beginner
In response to LeeKirkpatrick

‎2014-05-02 04:47 AM

You're correct.

 

Try below:

 

Change flags /etc/netwitness/ng/envision/etc/table-map.xml

        <mapping envisionName="url" nwName="url" flags="None" envisionDisplayName="URL"/>

 

Add        <key description="URL Links" format="Text" level="IndexValues" name="url" valueMax="500000" /> to index-concentrator-custom.xml

 

Then restart concentrator and jettysrv.

 

Done!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.