You can configure Decoders so that packets and logs can be processed, and then dropped before they are written to disk. This is called a Meta-Only Decoder, which uses the Meta-Only license, and can save storage space (however, analysts cannot reconstruct events in Investigate if you use this option). The configuration option /decoder/config/packet.write.disabled controls this feature. If this option is set to true, all packets are dropped after parsing, so they are never written to the database. This applies to both Log and Network Decoders. The ingested logs and packets flow through the system normally so that parsing and other operations are not impacted. The default setting is false, which preserves the normal behavior of writing packets to disk.
Note: You must purchase the Meta-Only license before you can realize the full benefit of using this option. For information about purchasing licenses, see the Licensing Management Guide for RSA NetWitness Platform. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
To configure a Meta-Only Decoder where packets and logs are parsed and not written to disk:
- Go to (Admin) > Services and select a Decoder.
- Click > View > Explore, and in the left panel, expand decoder and click config.
- In the right pane, go to packet.write.disabled, and change the value from false to true.
Note: You can make this configuration update while capture is running, but the update does not take affect until capture is restarted.
For an example of how to use the Meta-Only license to apply centrally-managed capture policies across your Network Decoders, see (Optional) Configure Selective Network Data Collection