In RSA NetWitness, when does it make sense to create a new index key
instead of using an existing one to store more heterogeneous data? My
example use case is a key named 'hash'. If hashes from logs and other
sources can be either MD5, SHA-1, SHA-256...
I would like to centrally manage nslcd.conf for centralized LDAP
authentication for all my NetWitness hosts. Before 11.0 I would have had
the competency to do this with Puppet, but with the switch to Chef I no
longer know what is needed to accomplish...
What are the real differences between warm and cold storage in an
Archiver when working with a virtual deployment?The only benefit I could
think is that data stored in the cold tiers would take less space than
data stored in the warm tiers. But is th...
I have a log message from which I have parsed the URI scheme ("http" or
"https") into , the hostname into , and the request part
into . When I try to concatenate the three parts into an URL
with <@url:*STRCAT(scheme,'://',host,request)> everything wo...
I am interested in whether someone has found a robust solution for
creating fault-tolerant log collection in their NetWitness Logs
architecture. What I usually see are recommendations to configure a VLC
to fail over to a second Log Decoder (Local Log...
Keepalived 1.3.5 seems to be broken with the current selinux-policy
(selinux-policy-3.13.1-102.el7_3.16.noarch) that installs with
Netwitness 11.0. For more information, see
https://bugzilla.redhat.com/show_bug.cgi?id=1458263 . Any plans to
update se...
What about the differences between hot and warm/cold? Based on the in
the configuration guide the compression is configured per collection.
Does this mean that I cannot configure a collection to use hot storage
without compression for x days, after w...
Just found this ealier post: VLC Failover without using a third-party
load balance solution. This might actually be what I am looking for.
Still eager to hear about any experiences on that or anything else
regarding this issue as well.
I might have missed something big time, but... What is the actual
purpose of 'eventtimestr' here? If I read correctly, it is populated
from a feed that is generated on a core device. Don't the collected logs
already get populated with a collection ti...
Commenting because I was also going to ask the exact same question.
However, in our case we would like to assign secondary interfaces to all
components (SA Server, Concentrator, Log Decoder, Archiver, and Virtual
Log Collector). We would like to be a...
