Appendix A: Select the Reference Log Decoder

For version 11.2, NetWitness has added the ability to add log parsers and log parsing rules through the UI, using the Log Parsers view. The Log Parsers tab is populated based on your reference Log Decoder. If you have more than one Log Decoder, you can select which acts as the reference one for populating the tab in the UI. This topic describes the procedure to do so.

Note: If you have previously set a reference log decoder, make sure that it is at NetWitness version 11.5 or later to get full functionality.

To change the reference log decoder:

  1. In the NetWitness UI, navigate to netwitness_adminicon_25x22.png (Admin) > Services.
  2. For the Content Server, select View > Explore.
  3. From the left navigation panel, expand content > parser.

  4. To set the reference log decoder, enter a value for preferred-log-decoder-name-for-sync.

    Enter the name listed in the Name column on the ADMIN > Services screen for your preferred log decoder.

    122_selectReferenceLogDecoder_1222.png

  5. The change takes effect during the next system sync, based on the log-decoder-sync-interval. To sync sooner, you can do either of the following:

    • To sync immediately, restart the Content Sever: in the netwitness_adminicon_25x22.png (Admin) > Services view, from the Actions menu for the Content Server, select netwitness_ic-actns.png > Restart.
    • Change the log-decoder-sync-interval parameter from its default of 12 hours to your preferred interval. Note that the minimum value for this parameter is 1 HOUR.