I have created a feed for the department but it is getting populated under my custom meta, the csv file is in format :
can anyone tell is it right or wrong and if it is wrong then what is right format.
It sounds like you may need to add or modify the dept.src meta in the /etc/netwitness/ng/index-concentrator-custom.xml file on the Concentrator that is consuming from your Decoder. Take a look at KB article 000026955 for more information about doing this.
Jeff Shurtliff, CISSP
Sr Social Engagement Manager
RSA, The Security Division of EMC
What do you mean it is populated under your custom meta? The format should be fine as you get to define where the custom feeds go.
If you are doing source ip and dest IP, you will need two custom feeds. Then set column one as the index on ip.src or ip.dst and inject the 2nd column to whatever meta you want.
I have uploaded feed ip with its department and department under meta dept.src(custom meta). But while investigating the particular ip I am not getting any value in dept.src meta. It is showing: dept.src(Not Indexed)
Thanks Jeff for sharing the link for the document of feed. I successfully created all feeds and they are working.
I am just stucked into another issue related to feed i.e.
As I want to map device.ip to its department but it is mapped to ip.src and ip.dst.
How can I change this as on above field at feed.callbacks I am unable to change this value
Do any one have idea on this?
I have resolved this case by taking Non ip in the feed upload and selected desired callback meta.
Hello Mohd, jeff,
Sorry she's resolved but i'm interested by your discussion.
I try to create a feed with CIDR type index column and the "device ip" on meta callback but she does not work.
Only "ip.src" and "ip.dst" work with a CIDR feed...
how did you do it Mohd ? You are realy take a Non IP type in your feed configuration and it work with CIDR information in your CSV ?
May be is my xml file or a bad practice ? I try 2 xml with <MetaCallback> but nothing. What do you think, Can you help me please ?
- My meta is in "index-concentrator-cutom"
- My XML and my CSV File :
or i try like that :
- My CSV :
- I have restart the nwconcentrator service but nothing :
The link given by jeff was enough to get the custom meta in the SA environment. You can check that link for the changes @ decoder, concentrator and broker respectively followed by restarting the services.
Secondly I haven't use CIDR notation in the CSV so I am not sure about that but can try it. Also I haven't used the CSV format which you are using. I have used this without any comma and all(created in excel and saved it as .csv) like below;
I will try in my practice setup about CIDR in non ip and will inform you accordingly.
Tanks for your response
Yes this link was enought for create a custom meta (thank jeff), but my meta work with another feed . I do not think she is the cause.
Only meta "ip.src" or "ip.dst" is considerate for the indexation with a feed on CIDR. I read in forum or RSA documentation that custom xml with "metacallback" attribut allows to select another meta for indexing, but I can't
For my CSV you see comma because i have open this file with a simply text editor But may be is the cause, I will try to create this CSV with EXCEL....
Thank MOhd for your research.
I try with EXCEL (classic CSV & DOS CSV) but nothing...
what CSV you have deployed can you show a sample
Yes of course. 2 examples With the same custom meta (project.name) :
Not working on CIDR with references "device.ip" meta (feed creation with custom csv, i try use metacallback) :
Working on CIDR with references "ip.src" or "ip.dst" (feeds creation with assistant) :
If you want the desired callback keys while using CIDR notation then you can go with creating XML feed file for that particular feed, defining and mapping the meta in that XML, upload it into the "advanced option" in "configure custom feed" and moving forward select the ip and CIDR notation.
I can see that you have created that also let me check I have deployed the same by creating the XML definition file in my practice lab
Yes of course i try it, my xml is accepted on feed creation but don't work. For "difining and mapping the meta" is <MetaCallback>, true ? I try this declaration but nothing :
<MetaCallback name="Device IP" valuetype="IPv4" ignorecase="true">
<LanguageKey name="project.name" valuetype="Text" />
<Field index="1" type="index" range="cidr" />
<Field index="2" type="value" key="project.name" />
Sorry but what do you mean By "and moving forward select the ip and CIDR notation." ?
<?xml version="1.0" encoding="UTF-8"?>
at the start of the XML file and also check the XML file
Sorry but i try it last time and nothing. Actualy my CSV is :
It's work with your practice lab ?
Retrieving data ...