AnsweredAssumed Answered

Create a custom feed for Netwitness 10.2

Question asked by RSA Admin Employee on Sep 12, 2013
Latest reply on Sep 18, 2013 by RSA Admin

Hi, I am trying to generate custom feeds for netwitness

 

Issue: I want to add a meta fields (device.domain) depending on the ip address from the log.

Each log has ip address in it. But i also want to add device name meta field

 

index-concentrator.xml is


<key description="Device IP" level="IndexValues" name="device.ip" format="IPv4" valueMax="100000" defaultAction="Open"/>

 

For new mata. I have added a filed in index-concentrator-custom.xml

<key description="domain" name="device.domain"  level="IndexValues" format="Text" valueMax="0" defaultAction="Open" />

 

My feed definition looks like

 

<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
  <FlatFileFeed name="Domain name" path="domainmap.csv" separator="," comment="#">
           <LanguageKeys>
                   <LanguageKey name="device.domain" valuetype="Text"/>
           </LanguageKeys>
           <Fields>
                   <Field index="1" type="index" range="cidr"/>
                  <Field index="2" type="value" key="device.domain"/>
            </Fields>
   </FlatFileFeed>
</FDF>

 

Then create the csv file

 

#Example
#IP address   Domain
192.168.1.1Coke
192.168.1.12Pepsi

 

Compiled the feed from netwitness console

 

> feed create feed-definitions.xml
Creating feed Domain name...
done.  0 entries, 24 invalid records
All feeds complete.

I got some invalid record message. Not sure about this.

 

Then copied the new .feed file to desktop and added the feed from Security Analytics. Uploaded the feed

 

68060

 

After this. Restarted both decoder and concentrator services. And many logs with device.ip meta were sent to decoder.But devoce.domain meta is empty under investigator. Since investigator in Security analytics is slow. I also tried to get the data over rest API. But no data for device.domain meta field.

 

Did i miss some steps to push the custom feed? Or anything wrong in feed definitions?

 

Regards

DJ

 

Message was edited by: dheerajjoshim

Outcomes