NetWitness Archiver - Event Type column shown as unknown in Investigate

Issue

When selecting Archiver as source during investigation of events with Log View, the Event Type column would show as "unknown" and the Logs columns is showing as "Not a log service".

Cause

The "medium" meta is missing from the MetaInclude list on the Archiver.

Resolution

To resolve the issue, follow the steps below:

1. On Archiver -> Config -> General -> Aggregate Services, stop aggregation for both log decoders. 
2. Bring service offline for all log decoders. 
3. Go to explore mode of the Archiver. 
4. Navigate to Archiver -> Devices -> IP Address of the Log Decoder -> Config. 
5. On right hand side under options, check if "medium" is included under the "metainclude" parameters. If its not, add it in. 
6. Repeat steps 4 and 5 for the all remaining logdecoder (if any).
7. Navigate to Administration -> Services -> Log Decoder -> System. Stop capture and one stopped, restart service by clicking Shutdown Service. Repeat the same steps for all remaining log decoders. 
8. Navigate to Administration -> Services -> Archiver -> System. Stop aggregation (which should be stopped by now), then restart the service by clicking Shutdown Service.

Notes

Make sure that the same set of logs are parsed correctly and can be investigated successfully on the concentrator to rule out parsing issue.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma

Approval Reviewer Queue

Technical approval queue