Endpoint: Configure Metadata Forwarding for the NetWitness Endpoint 11.1 Agents

Document created by RSA Information Design and Development on Mar 16, 2018Last modified by RSA Information Design and Development on Apr 11, 2018
Version 5Show Document
  • View in full screen mode
 

You can view the Endpoint metadata in the NetWitness Suite Investigate (Navigate and Event Analysis views) similar to Logs and Packets. You must enable the metadata forwarding to forward the following categories:

                       
Operating SystemCategories
Windows File, Service, DLL, Process, Task, Autorun, and Machine
Linux File, Loaded Library, Systemd, Process, Cron, Initd, and Machine
MacFile, Daemon, Process, Task, Dylib, Autorun, and Machine

Configuring Metadata Forwarding

  1. Go to ADMIN > Services.
  2. In the Services view, select the Endpoint Server service.
  3. Click and select > View > Config.
  4. Click the General tab.
    Configure the Endpoint Meta
  5. Click Add Endpoint Meta in the toolbar.
    The Available Services dialog is displayed.
  6. Select the Log Decoder service and click OK.
    The Add Service dialog is displayed. You can add only one Log Decoder service.
    Add Services
  7. Enter the administrator credentials for authentication.

  8. (Optional) If you enable Raw Data, a brief summary of the session along with the metadata is sent.

  9. (Optional) If you have enabled SSL on the REST port in the Log Decoder, select the REST SSL option. By default, the REST port for non-SSL is 50202 and for SSL is 56202.

  10. Select the Protobuf SSL option to enable SSL on Protobuf. By default, the Protobuf port is 50202.
  1. Click Save.

After configuring the meta forwarding, make sure to:

  • Start the capture on the Log Decoder
  • Start the aggregation on the Concentrator
  • Add the Log Decoder as a service in the Concentrator

Starting Metadata Forwarding to the Log Decoder

  1. In the Endpoint Meta config view, select the service.
  2. Click
    The Endpoint Server starts forwarding the metadata to the Log Decoder.

Stopping Metadata Forwarding to the Log Decoder

  1. In the Endpoint Meta config view, select the service.
  2. Click
    The Endpoint Server stops forwarding the metadata to the Log Decoder.

Removing Metadata Forwarding

Note: Make sure you stop the service, before removing the metadata forwarding.

  1. In the Endpoint Meta config view, select the service.
  2. Click .
  3. Click Apply.
You are here
Table of Contents > Setup Meta Forwarding to Log Decoder

Attachments

    Outcomes