Hi All, We have recently moved to v11.3.1.1 on Netwitness and I am
trying ot use the default Event Source monitoring to send syslog to one
of our decoders when a device is inactive for a certain period of time.
The default syslog template that is inc...
Hi All, I am currently trying to integrate windows aggregators in our
environment. The problem that I am facing is related to the rolling of a
channel for the windows logs. I have the following error in the logs:Log
for channel Security may have roll...
Hi All, We are continuously facing issues related to ESA lag. THE ESA
falls behind on specific concentrators and there is delay in alerting.
We have a RSA case open for this as well and we are being helped there
but also thought of asking this in the...
Hi All, We are unable to export any log from the investigate view. The
job page shows the query is waiting but it never completes. Could you
please suggest a solution?
Hi All, I am trying to test a parser that I have created for SAP. In the
NWLPT tool, I have created the parser and it works all the logs are
parsed . When I deploy this on my test system and try to replay logs
(both via uploading the log file and via...
Hi Josh, Happy New Year and thanks for your response! Please find my
reply inline: If all the IPs in that log are the same and all belong to
the same device, why can the event not be used to trigger a health check
on the device? - If this is the only...
Hi Josh, Thanks for the reply. Yes I have the CEF parser deployed and
enabled like I mentioned before. Still all the information is not being
parsed out. Leaving the parsing aside ( I could write a custom CEF
parser if needed), there is another probl...
Hi Max, The answer is there in the link shared by Williams above. Please
find the info below: Override Existing CEF Tag to NetWitness Meta Tag
Mapping For a Specific DeviceTo change existing CEF tag to NetWitness
Meta key mapping defined in Extention...
Hi David, Okay I will try that. But I had a question about the polling
duration and polling interval, should the polling duration always be
lesser than polling interval. For example, if I try polling interval of
10 s, what would you suggest the polli...
Hi Eric, We are on 10.6.5.1 and so the Endpoint windows agent cannot be
use I suppose. Sravan Koneti - The queue shows zero 1 rabbitmq.log 01
shovel.checkpoint 01 shovel.cmdscript 01 shovel.file 01 shovel.odbc 01
shovel.syslog 01 shovel.windows 0 Bu...
