Viewing Logs from older version of Log Decoder

NetWitness Platform have the capability to view a small sampling of recent logs for specific devices through detail tabs of the Discovery View. By default, Log Decoders of earlier versions do not have the necessary configuration to enable this feature, but a few minor changes can make it available.

To enable logs preview for an older version of Log Decoder, follow these steps on the Log Decoder:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services > select a Log Decoder, then select netwitness_ic-actns.png > View > Config.
  2. Click Files tab, then select index-logdecoder-custom.xml from the drop-down menu.

  3. Add the following three lines at the end of the file (before the closing language tag):

    <key description="Device IP" level="IndexValues" name="device.ip" format="IPv4" valueMax="100000" defaultAction="Open"/>
    <key description="Device IPv6" level="IndexValues" name="device.ipv6" format="IPv6" valueMax="100000" defaultAction="Open"/>
    <key description="Device Host" level="IndexValues" name="device.host" format="Text" valueMax="100000" defaultAction="Open"/>

  4. Click Apply.

    122_LdIndexEx_1122.png

  5. Restart the Log Decoder as follows.

    Select Log Decoder > Explore > sys > Properties > shutdown

This is an example of the index-logdecoder-custom.xml file.

The following example displays the Discovery Score as Unavailable in the Details view for an older Log Decoder.

122_esdsctab1_1122.png

 

The following example shows the message that displays in the displays in the Logs panel for an older version of Log Decoder.

122_106LdMsg1_1122.png