How to view custom feed contents that are deployed to an RSA Security Analytics Log Decoder

Issue

There is no way to see the contents of a deployed custom feed using the Security Analytics UI.

Resolution

The contents of a custom feed can be viewed using the shell console on the Log Decoder appliance, following the steps below.

Connect to the Log Decoder using SSH as the root user.
Go to the directory where the feeds are stored.
cd /etc/netwitness/ng/feeds/
Use the NwConsole utility to dump the custom feed contents.
Note: Each time output file name should be different when running NwConsole command.
NwConsole -c feed dump <feed_file_name> <output_file_name>
Use the cat command to display the contents of the feed.

To view meta keys involved in custom feeds, follow the below steps.

Go to feeds directory using cd /etc/netwitness/ng/feeds
Run NwConsole -c feed stats to view meta key details for this feed.

Example:

 [root@Dec feeds]# NwConsole -c feed stats FINUsersFeedSrc.feed
 
RSA NetWitness NextGen Console 11.1.0.3
 
Copyright 2001-2018, RSA Security Inc. All Rights Reserved.
 
>feed stats MyUsersFeedSrc.feed
 
FINUsersFeedSrc stats:
 
 version : 0
 
 keys count : 1
 
 values count: 1
 
 record count: 205
 
 meta key : user.src
 
 language keys:
 
 user_group_src Text

More details on this command see NwConsole Useful Commands

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder, Security Analytics UI
RSA Version/Condition: 11.X

Summary

When Custom feed deployed in Log Decoder, there is no way to check entries in Custom feeds using the Security Analytics UI. However, Custom feed entries can be viewed using the shell console. Along with this, Steps to view the meta keys involved documented in this article.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue