Removing Kaspersky CyberTrace objects (RSA NetWitness)
Removing Kaspersky CyberTrace objects (RSA NetWitness)
April 11, 2024
ID 175521
This section describes how to remove objects related to Kaspersky CyberTrace from RSA NetWitness after Kaspersky CyberTrace is uninstalled. Note that after you have removed these objects, events from Kaspersky CyberTrace persist in RSA NetWitness.
To remove objects related to Kaspersky CyberTrace from RSA Net Witness:
- Remove the
/etc/netwitness/ng/envision/etc/devices/cybertrace
directory from the computer on which Log Decoder runs. - From the Log Decoder settings, remove the
cybertrace
forwarding rule similarly to the way that it was added. - If you will not forward events in future, disable the event forwarding by setting the
/decoder/config/logs.forwarding.enabled
parameter tofalse
. - Remove the
Kaspersky CyberTrace
dashboard similarly to the way that a dashboard can be created. - Remove the Kaspersky CyberTrace charts similarly to the way that you enabled them.
- Remove the
CyberTrace Report
report similarly to the way that a report can be created. - Remove the Kaspersky CyberTrace Service rules similarly to the way that they were imported.
- If you added fields to the index-concentrator-custom.xml or table-map-custom.xml files, remove them from there.
- Restart Concentrator if you have changed index-concentrator-custom.xml.
- Restart Log Decoder.
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.