we're using SA for log, we identified a few devices(device.ip meta) which we want to use feed, tried to create the feed using csv (without xml definition), but there is no values, checked the documents, seems it can only reference to ip.src or ip.dst? how to make it refrence to device.ip?
Or is there any steps missing?
Below is the sample csv:
192.168.0.1,firewall1
192.168.0.2,firewall2
192.168.0.3,firewall3
Thank you.
i got it work by using call back device.ip, so it's correct the ip address only index for ip.src and ip.dst.
Awesome, I was looking for something exactly like this. Essentially making a /etc/hosts file out of a feed.
this is interesting but I did not get how this can be achieved.
i wonder how to perform the "call back device.ip" on the custom feed?
Hello,
I try to create a custom feeds with metacallback for tell device.ip but i can't do it.
You can tell me how are you doing for that please ? Because my CSV and xml don't work and i don't find the reason
i post this question on forum How create a custom feed with "device.ip" (MetaCallback) but i explain the case :
My custom meta work with another feed. But Only meta "ip.src" or "ip.dst" is considerate for the indexation with a feed on CIDR. I read in forum or RSA documentation that custom xml with "metacallback" attribut allows to select another meta for indexing, but I can't ...
May be is my xml file or a bad practice ? I try 2 xml with <MetaCallback> but nothing. What do you think, Can you help me please ?
- My meta is in "index-concentrator-cutom"
- My XML and my CSV File :
or i try like that :
- My CSV :
- I have restart the nwconcentrator service but nothing :
thank for your read
i got it work by using call back device.ip, so it's correct the ip address only index for ip.src and ip.dst.