This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Online Documentation
Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Table of Contents

Product Resources

Import Content to Content Library

Before the custom content can be used in policies, it must be imported to the Content Library.

To export Application Rules or Network Rules from Legacy UI

    1. Go to mmd1_0-1709525235674.png (Admin) > Services.
    2. Go to Config view of the service where application rule or network rule is deployed.
    3. Click either the Application Rule or the Network Rule tab.

      Note: The Network Rule tab is only available for Network Decoder services.

    4. Select the content to migrate.
    5. Click Export to export the selected content or click All to export all the content.

The following table lists the supported file types and file extensions for Application Rules and Network Rules:

Content Supported File Types Supported File Extensions
Application Rules .NWR NA

Network Rules

.NWR

NA

To export Feeds, LUA Parsers, or Log Devices

The content file locations are as given below:

  • Feeds content file location: /etc/netwitness/ng/feeds
  • Lua Parsers content file location: /etc/netwitness/ng/parsers
  • Log Devices content file location: /etc/netwitness/ng/envision/etc/devices

You can upload the files which are copied locally from these locations and import these files to Content Library.

The following table lists the supported file types and file extensions for Log Devices, LUA Parsers and Feeds:

Content Supported File Types Supported File Extensions
Feeds .zip

.feed and .token
Log Devices .envision, .zip, .xml

Note:
- The zip file should have a root folder. The root folder should contain the ‘N’ folders for ‘N’ number of content. The 'N' folder names should be the content names. The ‘N’ folders, will contain the respective xml files.
- You can upload a maximum of 10 xml files at once.
- You can upload base parsers as well as custom parser at once.
- If you are importing a file which has both base and custom content, the base and custom content files are separated after importing them.
- - The custom log parser naming convention should be ‘<base>msg-custom.xml’.
- The base content name in Content Library will be the display name mentioned in the xml file.
- The custom content name in Content Library will be the ‘displayname-custom’.
- While importing extension of a Base Parser, when multiple flavours of a Base Parser are present in Content Library, the extension is associated to the first Base Parser that is found.

 NA
LUA Parsers .zip

.luax, .lua and .flextoken

Note: Any imported content will be treated as custom content. If imported content has the same name as existing Live content, then it must be renamed upon import. Custom content with the same name can be overwritten.

To create .envision files

  1. Keep all the Log Devices in a root folder in your local drive. For example, "logDevices".

  2. From the command prompt, run the python script specified in the NetWitness Community portal with input argument as the path of the above folder.

    Note: The command to run the python script is "python3 pythonscriptname.py inputArg".

  3. Once you run the script, a new zip named "nw_content_logDevices.zip" is created. This zip file will contain all the envision files.

IMPORTANT: All actions except ‘Export’ are disabled for Application Rules, Network Rules, Feeds, LUA Parsers and Log Devices from Service Config page for all core services if the service is managed by Policy-based Centralized Content Management.

To import content to Content Library

    1. Go to mmd1_1-1709525300322.png (CONFIGURE) > Policies.
    2. In the policies panel, click Content.
    3. In the left panel, click Content Library.
    4. Depending upon the type of content to be imported, click the following tabs:

      • Application Rule

      • Network Rule

      • Parser

      • Feeds

      • Log Devices

Note: The name of the application rule or network rule to be imported should not be same as existing rule name.

 

 

    1. In the respective content panel, click Import.

123_Import_0723.png

124_LogDeviceImport_1223.PNG

    1. In the Import panel, click or drag the file to upload.
    2. While importing a Log Device parser, if you want to import a standalone XML as an extended parser, select Import as Extended Custom Parser. If this option is not selected, then the XML will be imported as a standalone parser.
    3. Click Overwrite to overwrite content. This is applicable only in case of overriding an already imported content.

Note: You cannot overwrite the content if the content name is same as the rule name of the existing content of the same type from live server. However, you can overwrite the content if the content name is same as the custom content rule name.

  1. Select the medium types.
  2. Click Import to complete the import process. 

                                               

                                              Previous Page                                                      Next Page

         

                                                      

 

 

                                                                                                          

0 Likes
Was this article helpful? Yes No
No ratings

On this page

© 2022 RSA Security LLC or its affiliates. All rights reserved.