.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to designate a custom language key for source and destination IP information within a single custom feed in NetWitness
Issue
There is no way in the NetWitness User Interface to create a feed that places values into a source and destination language key.
Resolution
Steps for creating a feed with a source and destination representationThe full steps for creating a Custom Feed can be found in the Creating a Custom Feed
Below are the steps to editing the XML file.
In the UI when you are creating a custom feed, the first screen that displays is the define feed screen. Once the Feed is given a name and the .csv file is uploaded there is a drop-down menu that you can select that is labeled Advanced Options, select this. The .csv file has IP addresses and the locations. An option to insert an XML Feed file will display and you will need to upload the file. Below is an example of an XML file that is used to denote what the source and destination IP addresses are.
<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="CustomFeed"
path="Locations.csv"
separator=","
comment="#">
<LanguageKeys>
<LanguageKey name="Location" valuetype="Text" srcname="Location.src" destname="Location.dst" />
</LanguageKeys>
<Fields>
<Field index="1" type="index"/>
<Field index="2" type="value" key="Location"/>
</Fields>
</FlatFileFeed>
</FDF>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="CustomFeed"
path="Locations.csv"
separator=","
comment="#">
<LanguageKeys>
<LanguageKey name="Location" valuetype="Text" srcname="Location.src" destname="Location.dst" />
</LanguageKeys>
<Fields>
<Field index="1" type="index"/>
<Field index="2" type="value" key="Location"/>
</Fields>
</FlatFileFeed>
</FDF>
The name that I have given the Feed in the UI is the same name that the name is in this XML file and this name is CustomFeed. The path in the XML file is the name of the .csv file that was used in the UI. In this example, the meta keys Location.dst and Location.src will have to be created.
Notes
When using cidr notation it must be defined in the XML file under the Field tag for example (below)
<Field range="cidr" type="index" index="1"/>
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Packet Decoder
RSA Version/Condition: 12.X
Platform: CentOS
O/S Version: 7.x
This will not work on a Log Decoder
Approval Reviewer Queue
Technical approval queue