Checking software settings (RSA NetWitness)

This section describes the requirements that the RSA NetWitness services must meet.

Check that the following conditions are met:

Detection events sent by Feed Service contain the context from the feeds in separate fields. You can display and use these fields in RSA NetWitness. (In RSA NetWitness, the names of these fields will have the kl. prefix.)

To display the context fields:

  1. Add the contents of %service_dir%/integration/rsa/additional_elements/table-map-custom.xml to the table-map-custom.xml file of the log decoder to which Feed Service will send detection events.
  2. Add the contents %service_dir%/integration/rsa/additional_elements/index-concentrator-custom.xml to the index-concentrator-custom.xml file of the Concentrator that will store the events from Feed Service.

You can specify all the settings described above by using the RSA NetWitness web user interface in the Services (Log Decoder and Concentrator) > Config view.

Restart the log decoder and Concentrator after you have edited the table-map-custom.xml and index-concentrator-custom.xml files.

Page top