Decoder and Log Decoder Quick Setup

A basic RSA NetWitness Platform network includes at minimum Brokers, Concentrators, and Decoders. Brokers aggregate data from Concentrators, and Concentrators consume data from at least one Network Decoder or Log Decoder. The basic network may include both types of Decoders. Network Decoders are usually referred to as Decoders, and they capture network data in packet form. Log Decoders capture log data as events.

Adding a Decoder makes it visible and available for use with NetWitness Platform Administration, Live Services, and Investigate. To add a service in NetWitness Platform, you select the service type, provide service connection information, and validate that the service can be reached. The Hosts and Services Getting Started Guide provides the information you need to understand and install all NetWitness Platform services.

After the services are added, you need to configure each service. This is the preferred order for configuring your system:

  1. Decoders
  2. Log Decoders
  3. Concentrators (refer to the Broker and Concentrator Configuration Guide)
  4. Brokers (refer to the Broker and Concentrator Configuration Guide)

Note: A Log Decoder is a special type of Decoder, which is configured and managed in a similar way to a Decoder. Most of the information in this guide refers to both types of Decoders. "Decoder" refers to both types of Decoders. Information that applies exclusively to Network Decoders or Log Decoders is clearly identified.

Basic configuration of the Decoder involves selecting a network adapter interface and starting data capture.

In addition, you can configure each Decoder to control the type of traffic captured using rules, feeds, and parsers. Advanced configuration tasks enable additional features that are relevant to specific applications. For example, configure a 10G Decoder, create custom meta keys, or decrypt incoming packets.

The easiest way to configure all of the required Decoder and Log Decoder settings is to use the options in the NetWitness Platform user interface. For the most part, configuration is performed in the Administration Services view ( netwitness_adminicon_25x22.png (Admin) > Services).

An example of the Administration Services View

Administrators who feel comfortable working outside of the user interface can configure the basic parameters as well as advanced settings by editing database nodes in the Decoder node tree using the Services Explore view.

The Services Explore view for a Decoder

Perform Initial Quick Setup

This procedure accomplishes the initial, basic configuration of a Decoder, and starts data capture. When the basic setup is complete, the Decoder begins capturing data for the Concentrator to consume.

To configure a Decoder and start capturing data:

  1. Assign a network interface for capturing data. For details, see "Select a Network Adapter" in Configure Capture Settings.
  2. Do one of the following:
    1. To start capture, select the Decoder and The actions menu> View > System. In the toolbar clickThe Start Capture button.
      This is an example of the Decoder System view.
    2. To enable Capture Autostart, see "Configure a Decoder to Begin Capturing Data Automatically" in Configure Capture Settings.
      The Decoder begins capturing data for consumption by a Concentrator. For additional configuration options, refer to Configure Common Settings on a Decoder Configure Common Settings on a Decoder and Decoder and Log Decoder Additional Procedures