Add Log Decoder as a Data Source to Archiver

To add a Log Decoder as a data source to Archiver, you need to have installed the Archiver host in your network environment, installed and configured a Log Decoder in your network environment, and added the Archiver host to NetWitness and make sure the Archiver service shows as active and licensed.

Add Log Decoder as a Data Source to Archiver

To add a Log Decoder as a data source to an Archiver:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services, click netwitness_filericon.png, and select Archiver.
  2. In the Actions column, click netwitness_ic-actns.png > View > Config.

    The Services Config view of Archiver is displayed.

  3. On the General tab, in the Aggregate Services panel, click netwitness_add.png.

    The Available Services dialog is displayed.

    netwitness_arcldavailsvc_650x488.png

  4. Select the Log Decoder service to add as a data source to the Archiver and click OK.
  5. If the Log Decoder is using the trust model, an Add Service dialog is displayed.

    netwitness_arcldaddsvc.png

  6. Type the username and password for the Log Decoder, and configure the SSL settings.
  7. Click OK.
    The selected Log Decoder service is listed in the Aggregate Services panel.

Archiver Meta Settings Considerations

To maximize retention time, the meta items and index of the Archiver have been reduced (when compared to the Concentrator) to support common reporting needs. This means that, by default, you may not be able to run all of the reports you run on the Concentrator on the Archiver. You can view a list of the current meta and index items used by the Archiver in the following locations:

  • Explorer view: The /archiver/devices/<logdecoder>/config/options path in the metaInclude field shows the current list of meta items.
  • Config view > Files tab: The index-archiver.xml shows the default index configuration. The index-archiver-custom.xml shows any modifications.

The meta items and index of the Archiver can be customized to support customer specific reporting needs, however this will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.

See (Optional) Configure Meta Filters for Aggregation and (Optional) Add Index Entries for Archiver Reporting for additional details.

(Optional) Configure Meta Filters for Aggregation

Follow this procedure to view and add additional meta items to the Archiver.

Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.

  1. To view the current meta items, in the Aggregate Services panel, select the Log Decoder service and click netwitness_ic-info.png in the Meta Include field.
    netwitness_121_arcmetainc_1122.png
  2. To add additional meta items, select the Log Decoder service and click netwitness_ic-edit.png.

    netwitness_editagg.png

  3. In the Edit Aggregate Service dialog, select the meta items to include in the Meta Include list. For example, you may want to consider including ip.srcport, tcp.srcport, udp.srcport, msg, url, query, bytes, alias.host, ip.dst, ip.dstport, ip.src, tcp.dstport, megabytes, time, event.desc, and word.
  4. Click Save and then click Apply.
  5. See (Optional) Add Index Entries for Archiver Reporting below for information on how to index the additional meta keys.

(Optional) Add Index Entries for Archiver Reporting

Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.

The Archiver’s default index configuration only includes value indexes for these keys:

  • time
  • decoder source (did)
  • destination user account (user.dst),
  • alert ID (alert.id)
  • device IP (device.ip)
  • source IP address (ip.src)
  • destination IP address (ip.dst)
  • event description (event.desc)
  • device class (device.class)
  • medium
  • object name (obj.name)
  • word

For information on customizing this list, see "Index Customization" in the Core Database Tuning Guide.