In order to add a Log Decoder as a data source to Archiver, you need to have installed the Archiver host in your network environment, installed and configured a Log Decoder in your network environment, and added the Archiver host to NetWitness Suite and make sure the Archiver service shows as active and licensed.
Add Log Decoder as a Data Source to Archiver
To add a Log Decoder as a data source to an Archiver:
- Go to ADMIN > Services.
- Select the Archiver service.
- In the Actions column, select View > Config.
The Services Config view of Archiver is displayed.
The Available Services dialog is displayed.
- Select the Log Decoder service to add as a data source to the Archiver and click OK.
If the Log Decoder is using the trust model, an Add Service dialog is displayed.
- Type the username and password for the Log Decoder, and configure the SSL settings.
- Click OK.
The selected Log Decoder service is listed in the Aggregate Services panel.
Archiver Meta Settings Considerations
To maximize retention time, the meta items and index of the Archiver have been reduced (when compared to the Concentrator) to support common reporting needs. This means that, by default, you may not be able to run all of the reports you run on the Concentrator on the Archiver. You can view a list of the current meta and index items used by the Archiver in the following locations:
- Explorer view: The /archiver/devices/<logdecoder>/config/options path in the metaInclude field shows the current list of meta items.
- Config view > Files tab: The index-archiver.xml shows the default index configuration. The index-archiver-custom.xml shows any modifications.
The meta items and index of the Archiver can be customized to support customer specific reporting needs, however this will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.
See (Optional) Configure Meta Filters for Aggregation and (Optional) Add Index Entries for Archiver Reporting for additional details.
Follow this procedure to view and add additional meta items to the Archiver.
- To view the current meta items, in the Aggregate Services panel, select the Log Decoder service and click in the Meta Include field.
- In the Edit Aggregate Service dialog, select the meta items to include in the Meta Include list. For example, you may want to consider including ip.srcport, tcp.srcport, udp.srcport, msg, url, query, bytes, alias.host, ip.dst, ip.dstport, ip.src, tcp.dstport, megabytes, time, event.desc, and word.
- Click Save and then click Apply.
- See (Optional) Add Index Entries for Archiver Reporting below for information on how to index the additional meta keys.
The Archiver’s default index configuration only includes value indexes for these keys:
- decoder source (did)
- destination user account (user.dst),
- alert ID (alert.id)
- device IP (device.ip)
- source IP address (ip.src)
- destination IP address (ip.dst)
- event description (event.desc)
- device class (device.class)
- object name (obj.name)
For information on customizing this list, see Index Customization in the Core Database Tuning Guide.