000026517 - How to create and manage feed filters on an RSA NetWitness decoder

Document created by RSA Customer Support Employee on Jan 12, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026517
Applies ToRSA NetWitness NextGen
RSA NetWitness Decoder
RSA NetWitness Log Decoder
RSA NetWitness Hybrid
IssueHow to create and manage feed filters on an RSA NetWitness decoder.
Resolution

In the event that you need to filter certain values from your NwLive feeds use the following procedure. 


 


Create a filter file:



1. Using a text editor, create a file with the values that you wish to
filter from the feeds. There should be one value per line in the text
file.
2. Name the file the same as the feed in which it is intended to filter
but use the file extension of .filter. For example, if you wish to
filter 'localhost' from the ShadowServer.feed file, create a filter
called ShadowServer.filter
3. Use Administrator (On the Decoder's dashboard...Files View...Upload
Feed/Parser control) to upload the filter file to the Decoder.
4. Stop and restart capture (or run the /parser reload command from the
Explorer View)



 


Refer to the attached PDF document for complete instructions and sample screenshots.

Legacy Article IDa58600

Attachments

    Outcomes