Configuring Metadata Forwarding

To view the metadata, you must enable the metadata forwarding while installing the Endpoint Log Hybrid. The Endpoint metadata is displayed in the NetWitness Investigate (Navigate and Events views) similar to Logs and Packets. For information on metadata mappings, see Endpoint Metadata Mappings.

To configure metadata forwarding:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select the Endpoint Server service.
  3. Click netwitness_actions_icon.png and select > View > Config.
  4. Click the General tab.

    GenTab.jpg

  5. Click netwitness_add.png in the toolbar.

    The Available Services dialog is displayed.

    netwitness_forwarding_availableservices.png

  6. Select a Log Decoder service and click OK.

    The Add Service dialog is displayed.

    Note: You can add only one Log Decoder service.

    netwitness_ep_addservs_363x352.png

  7. Enter the administrator credentials for authentication.

  8. (Optional) If you enable Raw Data, a brief summary of the session is forwarded along with the metadata.

  9. (Optional) If you have enabled SSL on the REST port in the Log Decoder, select the REST SSL option. By default, the REST port for non-SSL is 50102.

  10. Select the Protobuf SSL option to enable SSL on Protobuf. By default, the Protobuf port is 50202.
  1. Click Save.

After configuring the metadata forwarding, make sure to:

  • Start the capture on the Log Decoder
  • Start the aggregation on the Concentrator
  • Add the Log Decoder as a service in the Concentrator

Start Metadata Forwarding to the Log Decoder

  1. In the Endpoint Meta config > General view, select the service.
  2. Click netwitness_star_41x19.png
    The Endpoint Server starts forwarding the metadata to the Log Decoder.

Stop Metadata Forwarding to the Log Decoder

  1. In the Endpoint Meta config > General view, select the service.
  2. Click netwitness_icon-stop_45x19.png
    The Endpoint Server stops forwarding the metadata to the Log Decoder.

Remove Metadata Forwarding

Note: Make sure you stop the service, before removing the metadata forwarding.

  1. In the Endpoint Meta config view, select the service.
  2. Click netwitness_delete.png.
  3. Click Apply.

Endpoint Metadata Mappings

You can view the default metadata mappings or modify the metadata mappings for endpoints.

JSON Schema for Metadata MappingsJSON Schema for Metadata Mappings

All metadata mappings is configured using the JSON schema. The following is a sample JSON schema:

{

"metaKeyPairs" : [

{

"metaKeyPairsCategory" : "",

"keyPairs" : [

{

"endpointJpath" : "",

"metaName" : "",

"type" : "",

"enabled" : true

},

{

"endpointJpath" : "",

"metaName" : "",

"type" : "",

"enabled" : true

}

]

}

]

}

The following APIs are used to view or modify the metadata mappings:

  • get-default - Returns the default configurations for the endpoint metadata mappings.
  • get-custom - Returns the custom configurations for the endpoint metadata mappings.
  • set-custom – Helps customize the endpoint metadata mappings.

View the Metadata Mappings

To view the endpoint metadata mappings:

  1. On the NW server, run the nw-shell command from the command line.
  2. Run the login command and enter the credentials.
  3. Connect to the Endpoint Server using the following command:
    connect --host <IP address> --port <number>

Note: The default port is 7050.

  1. Run the following commands:

    cd endpoint/meta
    cd get-default
    invoke

The following screen shows the default metadata mappings:

netwitness_defmeta.png

To disable a default metadata mapping:

Enter the same endpointJpath value and set the enabled parameter to false.

For example, if the endpointJpath is Category and enabled parameter is true, enter the same endpointJpath and set the enable parameter to false.

netwitness_dfmetamap_348x167.png

Note: Do not modify the metaKeyPairsCategory in the schema; “COMMON”, “COMMON_MACHINE”, “COMMON_MACHINE_FOR_EVENTS”.

To change the metadata name or metadata type:

Enter the same endpointJpath value and specify values for the metaName and type.

Note: The metaName must exist in the table-map.xml of the Log Decoder, index-concentrator.xml or index-concentrator-custom.xml file of the Concentrator, for the metaName to appear on the Investigate view.

Add or Modify Metadata Mappings

To add or modify the metadata mappings, run the set-custom API. The metaKeyPairs configuration provided in the JSON file should match the JSON schema of the default configuration received through the get-default API.

  1. On the NW server, run the nw-shell command from the command line.

  2. Run the login command and enter the credentials.

  3. Connect to the Endpoint Server using the following commands:

    connect --service endpoint-server

    Note: The default port number is 7050.

  1. Run the following commands:

    cd endpoint/meta
    cd set-custom
    invoke --file <json file>

You can add new metaKeys by adding entries to the file that will be uploaded using the set-custom API. The following example shows how to add a new metadata mapping:

netwitness_setcusmeta_660x242.png

View the Custom Metadata Mappings

To view the custom metadata mappings, run the get-custom API, and then invoke commands.

Note: The get-custom API will return values only if the metadata mappings are modified using the set-custom API.