NetWitness Community

LucaBernabei · ‎2018-12-19

Hello,

i'm trying to create a custom multiple index feed on Nw 11.2 following the guide described here 000035599 - Creating custom feeds with multiple indexed meta keys for RSA Security Analytics 10.6.x .

As a first thing i'm using the same .xml and .csv files provided in the guide and i'm sendings custom logs modified for matching the .csv file. Even if the procedure for create the custom feed ends successfully without errors, the feed doesn't work on 11.2 environment because there were no changes in the parsed metas after sendind logs, instead of populate the additional metas described in the feed. Instead it works on 10.6 environment using the same guide.

There are a differents procedures for Nw 11.2 or for some reasons multiple index feeds doesn't work on 11.2?

Thanks

EricPartington · ‎2018-12-19

What are you trying to achieve? Can you provide some examples of logs and what your goal is, there might be an easier way.

LucaBernabei · ‎2018-12-19

Hi Eric,

it's just a try that i want to do because in the future i probably have to build a custom feed for a customer that works in 11.2 environment.

The result should be easy to achieve, i'm just following the guide here (000035599 - Creating custom feeds with multiple... | RSA Link ) and trying if the values “whitelist” or “blacklist” are put in the "alert" meta. An example of log is not important i'm just using logs that are parsed correctly and that populate metas "alias.host" and "domain" described in the .csv file. I specify again that in the 10.6 version the procedure works fine.

NetWitness Community

Multiple Index Feed Netwitness 11.2