NetWitness Community

BrianHoward · ‎2015-02-06

Has anyone started pulling in Netflow data into SA? If so, are you able to see the "direction" meta and run the RSA provided Netflow reports? I am unable to do either properly. I added a custom line in my log concentrator index-concentrator-custom.xml file, and the meta appears in an investigation, but reports come back empty for the same data/time frame.

Here is the info from my index-concentrator-custom.xml file:

<?xml version="1.0" encoding="utf-8"?>

</language>

Anonymous · ‎2015-02-08

Hi Brian

Check out this post by Davide that explains how to add the Direction meta-tagging to your system.

The Direction meta is not created by the NetFlow parser itself, but by App rules that match ip.src and ip.dst against a list of network ranges that you can customise to match your company's IP address scheme.

View solution in original post

Anonymous · ‎2015-02-08

Hi Brian

Check out this post by Davide that explains how to add the Direction meta-tagging to your system.

The Direction meta is not created by the NetFlow parser itself, but by App rules that match ip.src and ip.dst against a list of network ranges that you can customise to match your company's IP address scheme.

BrianHoward · ‎2015-02-09

That is exactly what I was looking for! Thank you.

NetWitness Community

Netflow data parsing