Importing Event Sources

You can import event source attributes from a CSV-formatted file. To import information from a configuration management database (CMDB), a spreadsheet, or other type of file, first convert or save the information to a CSV file.

Note: The following identification attributes are handled specially: IP, IPv6, Hostname, Event Source Type, Log Collector, and Log Decoder. If you import an event source that includes a different value for any of these fields (when compared with the value in NetWitness), the original value in NetWitness will not be overwritten.

The imported attributes are associated with the matched Event Source and are available for use in rules to create Event Source Groups.

NetWitness treats the import file as the correct, complete record. This assumption leads to the following behaviors related to importing event source attributes:

  • By default, when you import attributes, the system updates attributes for existing event sources only.
  • If the event source exists in the import file, but not in NetWitness, the attributes for that event source are ignored. That is, NetWitness does not create a new event source for these attributes.
  • If the event source exists in both the import file and NetWitness, values for that event source are overwritten.
  • If an attribute is blank in the import file, it clears the corresponding attribute in NetWitness.
  • If an attribute is not specified in the import file, then the corresponding attribute is ignored in NetWitness (that is, it is not cleared).

Note: There is a difference between a blank attribute vs. one that is not specified at all. If an attribute is specified but blank, the assumption is that it is meant to be blank, and NetWitness clears that attribute for the corresponding event source. However, if an attribute is not specified at all, it is assumed that no change is expected.

The above behaviors are the defaults—you can change the behavior as specified in the following procedure.

Import Event Source Attributes

To import Event Source attributes from a file:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Event Sources.

  2. Select the Manage tab.

    The Event Sources Manage tab is displayed.

    12.1_EsmMngTbNew_1122.png

  3. From the Import/Export menu in the toolbar (netwitness_selectesicon.png), select Import (netwitness_importes.png).

    The Import Event Sources dialog is displayed.

    netwitness_impesdialog.png

  4. Navigate to the import file, and select the appropriate boxes:

    • Default: The default behavior is described above.
    • Add only: Imports an attribute only if the corresponding field in NetWitness is blank. Thus, no existing values will be overwritten.
    • Do not clear values: Does not clear attribute values in NetWitness for items in the import file that are blank.
    • Add Unknown Sources: Adds new event sources based on items in the import file.

    Note: You can select multiple options.

  5. Click Import.
  6. Click Yes in the confirmation dialog to perform the import.

Troubleshooting the Import File

If your import file is not formatted correctly, or is missing required information, an error is displayed, and the file is not imported.

Check the following:

  • If you are adding unknown sources, each line in the file must contain a combination of the required attributes:
    • IP or IPv6 or Hostname, and
    • Event Source Type
  • The first line of the file must contain header names, and the names must match the names in NetWitness. To get a list of correct column names, you can export a single event source. Examine the exported CSV file: the first row of the file contains the correct set of attribute/column names.

If your import file is not formatted correctly, or is missing required information, an error is displayed, and the file is not imported.