Configuring Metadata ForwardingConfiguring Metadata Forwarding
To view the metadata, you must enable the metadata forwarding while installing the Endpoint Log Hybrid. The Endpoint metadata is displayed in the NetWitness Investigate (Navigate and Events views) similar to Logs and Packets. For information on metadata mappings, see Endpoint Metadata Mappings.
To configure metadata forwarding:
- Go to (Admin) > Services.
- In the Services view, select the Endpoint Server service.
- Click and select > View > Config.
-
Click the General tab.
-
Click in the toolbar.
The Available Services dialog is displayed.
-
Select a Log Decoder service and click OK.
The Add Service dialog is displayed.
Note: You can add only one Log Decoder service.
-
Enter the administrator credentials for authentication.
8. (Optional) If you have enabled SSL on the REST port in the Log Decoder, select the REST SSL option. By default, the REST port for non-SSL is 50102.
9. Select the Protobuf SSL option to enable SSL on Protobuf. By default, the Protobuf port is 50202.
10. Click Save.
After configuring the metadata forwarding, make sure to:
- Start the capture on the Log Decoder
- Start the aggregation on the Concentrator
- Add the Log Decoder as a service in the Concentrator
Start Metadata Forwarding to the Log Decoder
- In the Endpoint Meta config > General view, select the service.
- Click
The Endpoint Server starts forwarding the metadata to the Log Decoder.
Stop Metadata Forwarding to the Log Decoder
- In the Endpoint Meta config > General view, select the service.
- Click
The Endpoint Server stops forwarding the metadata to the Log Decoder.
Remove Metadata Forwarding
Note: Make sure you stop the service, before removing the metadata forwarding.
- In the Endpoint Meta config view, select the service.
- Click .
- Click Apply.
Endpoint Metadata MappingsEndpoint Metadata Mappings
You can view the default metadata mappings or modify the metadata mappings for endpoints.
JSON Schema for Metadata MappingsJSON Schema for Metadata Mappings
All metadata mappings is configured using the JSON schema. The following is a sample JSON schema:
{
"metaKeyPairs" : [
{
"metaKeyPairsCategory" : "",
"keyPairs" : [
{
"endpointJpath" : "",
"metaName" : "",
"type" : "",
"enabled" : true
},
{
"endpointJpath" : "",
"metaName" : "",
"type" : "",
"enabled" : true
}
]
}
]
}
The following APIs are used to view or modify the metadata mappings:
- get-default - Returns the default configurations for the endpoint metadata mappings.
- get-custom - Returns the custom configurations for the endpoint metadata mappings.
- set-custom – Helps customize the endpoint metadata mappings.
View the Metadata Mappings
To view the endpoint metadata mappings:
- On the NW server, run the nw-shell command from the command line.
- Run the login command and enter the credentials.
- Connect to the Endpoint Server using the following command:
connect --host <IP address> --port <number>
Note: The default port is 7050.
-
Run the following commands:
cd endpoint/meta
cd get-default
invoke
The following screen shows the default metadata mappings:
To disable a default metadata mapping:
Enter the same endpointJpath value and set the enabled parameter to false.
For example, if the endpointJpath is Category and enabled parameter is true, enter the same endpointJpath and set the enable parameter to false.
Note: Do not modify the metaKeyPairsCategory in the schema; “COMMON”, “COMMON_MACHINE”, “COMMON_MACHINE_FOR_EVENTS”.
To change the metadata name or metadata type:
Enter the same endpointJpath value and specify values for the metaName and type.
Note: The metaName must exist in the table-map.xml of the Log Decoder, index-concentrator.xml or index-concentrator-custom.xml file of the Concentrator, for the metaName to appear on the Investigate view.
Add or Modify Metadata Mappings
To add or modify the metadata mappings, run the set-custom API. The metaKeyPairs configuration provided in the JSON file should match the JSON schema of the default configuration received through the get-default API.
-
On the NW server, run the nw-shell command from the command line.
-
Run the login command and enter the credentials.
-
Connect to the Endpoint Server using the following commands:
connect --service endpoint-server
Note: The default port number is 7050.
-
Run the following commands:
cd endpoint/meta
cd set-custom
invoke --file <json file>
You can add new metaKeys by adding entries to the file that will be uploaded using the set-custom API. The following example shows how to add a new metadata mapping:
View the Custom Metadata Mappings
To view the custom metadata mappings, run the get-custom API, and then invoke commands.
Note: The get-custom API will return values only if the metadata mappings are modified using the set-custom API.