Checking software settings (RSA NetWitness)

This section describes the requirements that the RSA NetWitness services must meet.

Check that the following conditions are met:

• The index file (index-concentrator-custom.xml) of the Concentrator which receives Feed Service events must contain the following metafields:
  • virusname

    This and other metafields (except for msg) must have the IndexValues level. Also, set the defaultAction value of these metafields to Open.

  • user.src
  • ip.src
  • action
  • msg

    This metafield must have the IndexKeys (the presence of the metafield in an event is indexed) or IndexNone (the metafield is not indexed) level in the index-concentrator-custom.xml file. If you set the IndexValues level for this metafield, the hard drive space will be consumed rapidly.

  • event.source
  • device.ip
  • ip.dst
  • url
  • checksum

  If any of these fields are absent from the index file, add them there and restart the Concentrator, as described in the section about RSA NetWitness troubleshooting.

  If you do not have a Concentrator but you use a Log Decoder for storing data from Feed Service, change the index-logdecoder-custom.xml file and restart the Log Decoder as described above.

  Update only the index file of a Concentrator (index-concentrator-custom.xml) if the Concentrator receives data from a Log Decoder. For more information, refer to https://community.rsa.com/docs/DOC-41760. Also, update the index file of a Log Decoder (index-logdecoder-custom.xml) if you use the Log Decoder as the source of data in which you search for events or if you use the Log Decoder to create reports or dashboards.

• The table-map-custom.xml configuration file (the configuration file of a Log Decoder) must contain the following metafields:
  • virusname
  • c_username
  • saddr
  • daddr
  • url
  • checksum
  • msg
  • event_source
  • hostip
  • action

  The value of the flags attribute must be None for each of these metafields.

  If any of these fields are absent from the index files, refer to the section about RSA NetWitness troubleshooting.

Detection events sent by Feed Service contain the context from the feeds in separate fields. You can display and use these fields in RSA NetWitness. (In RSA NetWitness, the names of these fields will have the kl. prefix.)

To display the context fields:

1. Add the contents of %service_dir%/integration/rsa/additional_elements/table-map-custom.xml to the table-map-custom.xml file of the log decoder to which Feed Service will send detection events.
2. Add the contents %service_dir%/integration/rsa/additional_elements/index-concentrator-custom.xml to the index-concentrator-custom.xml file of the Concentrator that will store the events from Feed Service.

You can specify all the settings described above by using the RSA NetWitness web user interface in the Services (Log Decoder and Concentrator) > Config view.

Restart the log decoder and Concentrator after you have edited the table-map-custom.xml and index-concentrator-custom.xml files.

Page top