Decoder: Obtain Log Files a from Pre-11.0 Log Decoder

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

NetWitness 11.0. added the capability to view a small sampling of recent logs for specific devices through detail tabs of the Discovery View. By default, Log Decoders prior to 11.0 do not have the necessary configuration to enable this feature, but a few minor changes can make it available.

To enable logs preview for a pre-11.0 Log Decoder, follow these steps on the Log Decoder:

  1. Go to ADMIN > Services > select a Log Decoder, then select The actions menu> View > Config.
  2. Click the Files tab and select index-logdecoder-custom.xml from the drop-down menu.
  3. Add the following three lines at the end of the file (before the closing language tag):
    <key description="Device IP" level="IndexValues" name="device.ip" format="IPv4" valueMax="100000" defaultAction="Open"/>
    <key description="Device IPv6" level="IndexValues" name="device.ipv6" format="IPv6" valueMax="100000" defaultAction="Open"/>
    <key description="Device Host" level="IndexValues" name="device.host" format="Text" valueMax="100000" defaultAction="Open"/>
  4. Click Apply.
  5. Restart the Log Decoder service as follows.
    Select Log Decoder service > Explore > decoder > Properties > reset

This is an example of the index-logdecoder-custom.xml file.

This is an example  of the index-logdecoder-custom.xml file.

Note: Discovery Scores are only available for 11.x and above Log Decoders. Discovery Scores for pre-11.x Log Decoders are displayed as Unavailable.

The following example shows the Discovery Score as Unavailable in the Details view for a pre-11.0 Log Decoder.

This is an example of an unavailable Discovery score.

Note: Device logs are only available for 11.x and above Log Decoders.

The following example shows the message that is displayed in the Logs panel for a pre-11.0 Log Decoder.

This is an example of a message in the Logs panel.

You are here
Table of Contents > Decoder and Log Decoder Additional Procedures > Obtain Log Files from a Pre-11.0 Log Decoder

Attachments

    Outcomes