Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Feeds are not showing meta values for required meta keys in the Investigate page

Issue

When Feed deployed to Log Decoder, the required meta keys in Feed details will not generate meta values. 

Example:
The below feed generates meta values for highlighted meta keys.
NetWitness Feeds are not showing meta values for required meta keys in the Investigate page
 

The above Live Metakey summary will explain which generated meta is indexed by default, and what generated meta may need additional indexing to be displayed.


Tasks

This is due to multiple reasons.
  1. Feeds may not be deployed to Log decoder.
  2. Meta keys are not defined in table-map.xml and index-concentrator.xml files.
  3. FeedParser meta keys are not enabled.

Resolution

Please follow the below instructions to generate meta values.

  1. Verify the feeds are deployed to Log Decoder | Decoder using the below commands from the CLI: 
    cd /etc/netwitness/ng/feeds/
    [root@BLRCSLogDecoder feeds]# ls -l
    total 260
    -rw-------. 1 root root    407 Oct 27 17:36 esmfeed.feed
    -rw-r--r--. 1 root root    133 Oct 27 17:36 esmfeed.feed-attr.xml
    -rw-r--r--. 1 root root   3936 Mar  8  2019 feed-definitions.xsd
    -rw-------. 1 root root    160 Oct 24 00:43 feed.tokens
    -rw-------. 1 root root 171088 Sep 24 22:40 investigation.feed
    -rw-r--r--. 1 root root    430 Sep 24 22:40 investigation.feed-attr.xml
    -rw-------. 1 root root    336 Sep 24 22:40 nwconst_c2_ips.feed
    -rw-r--r--. 1 root root    431 Sep 24 22:40 nwconst_c2_ips.feed-attr.xml
    -rw-------. 1 root root  59312 Oct 24 00:43 nwspamhaus_drop_list_ip.feed
    -rw-r--r--. 1 root root    440 Oct 24 00:43 nwspamhaus_drop_list_ip.feed-attr.xml
  2. Verify Log Decoder's table-map.xml and Concentrator's index-concentrator.xml has definitions for required meta keys. If there are metakeys that are being generated, but not indexed by default, please follow the documentation at:  
    1. table-map.xml information: https://community.netwitness.com/s/article/677978
    2. index levels and customization: https://community.netwitness.com/s/article/IndexCustomization
  3. Go to Log Decoder|Decoder->Config->General->Parsers Configuration.
    Ensure the "FeedParser" Config Value is set to "Enabled"
NetWitness Feeds are not showing meta values for required meta keys in the Investigate page

Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: Log Decoder, Packet Decoder, Concentrator
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS, AlmaLinux
 


Summary

This document outlines the procedure to ensure metakeys generated from Feeds are indexed properly.


Approval Reviewer Queue

Technical approval queue