Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Meta not available on device solution doc

advertisement 
a66037 | "Meta not available on device" is displayed in RSA Security Analytics investigations
Fact
RSA Security Analytics
RSA Security Analytics 10.3
RSA Security Analytics Concentrator
RSA Security Analytics Broker
RSA Security Analytics Log Decoder
Symptom
"Meta not available on device" is displayed in RSA Security Analytics investigations.
When adding a custom log meta key to a Security Analytics device using the table-map.xml, the error "Meta
not available on device" is displayed in Investigator
After editing table-map.xml and changing the value from "transient" to "none" and adding the key to indexlogdecoder.xml, "Meta not available on device" is displayed for the custom value in Investigator.
Cause
At times, the standard table-map.xml and index-<service>.xml files have required updating, and those
changes are introduced in the upgrade or patching process. When these new templates are introduced, new
xml files are deployed, which overwrite existing xml files, thus taking the customized changes with them.
This usability issue prompted the introduction of a different method to add custom keys to the
configuration. As of SA 10.3, custom changes must be introduced in new custom xml files to be recognized.
To toggle data types from memory resident to disk, the value for "flags" must be toggled from "transient" to
"none" in a new file called table-custom-map.xml. All index-<service>.xml changes must also be recorded in
their own file, index-<service>-custom.xml. The table-map.xml and index-<service>.xml files should no
longer be edited. Use only the custom xml model to make changes.
The adoption of this model introduces two distinct advantages: a) the customizations will no longer be
overwritten during software upgrades, and 2) easing administration to manage customizations to xml files,
as delta change management for customizations is no longer necessary.
Fix
Before beginning: All commands are executed as root from the command line of each device as noted to the specific
device. All installations must execute steps for the A) Log Decoder and B) Concentrator, and sites with an
optional broker must also execute C) Broker steps. Process restarts of the log decoder, concentrator and broker are
required to recognize these changes, when in production, schedule accordingly. The below steps exemplifies the process
using "Severity" as the custom key, adjust accordingly.
I. Log decoder(s):
execute these steps on all log decoders
1. On the log decoder, data that is marked as "Transient" is memory resident and not written to disk, data that is set to
"None" is parsed and written to disk. In order to write meta, you must set the value to "None"
2. cd cd /etc/netwitness/ng/envision/etc
3. Locate the key you wish to use in the current table.map.xml file
(vi hint: use the search feature in vi, <esc> / then enter the word severity and hit return)
That locates the matching key, which by default is set to "Transient", this flag needs to be "None"
<mapping envisionName="severity" nwName="severity" flags="Transient"
envisionDisplayName="Severity|SeverityLevel"/>
Save this key to a paste buffer but do not modify the key in this file
4. in the same directory, create table-map-custom.xml by typing
vi table-map-custom.xml
NOTE: this file is not on the system by default.
Add the key, changing the flags from "Transient" to "None".
The file with a single key will look similar to the following
<?xml version="1.0" encoding="utf-8"?>
<mappings>
<mapping envisionName="severity" nwName="severity" flags="None"
envisionDisplayName="Severity|SeverityLevel"/>
</mappings>
save this file
(vi hint: <esc> :wq!)
5. bounce the log decoder services:
stop nwlogdecoder
start nwlogdecoder
This change will now write the key disk. In order to see the value in the Investigator UI, you must now do the following:
II. On the concentrator
1. cd /etc/netwitness/ng
2. create the file index-concentrator-custom.xml
vi index-concentrator-custom.xml
3. Create the following xml file to display Severity as a key:
<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="Severity" level="IndexValues" name="severity" format="Text"
valueMax="10000" />
</language>
4. bounce the concentrator services
stop nwconcentrator
start nwconcentrator
III OPTIONAL: Brokers - these steps are required only for installations that employ a broker to aggregate data from
multiple concentrators
1. cd /etc/netwitness/ng
2. create the file index-broker-custom.xml
vi index-broker-custom.xml
3. Create the following xml file to display Severity as a key:
<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="Severity" level="IndexValues" name="severity" format="Text"
valueMax="10000" />
</language>
4. bounce the broker services
stop nwbroker
start nwbroker
Related documents
HyXAC: Hybrid XML Access Control Integrating View
HyXAC: Hybrid XML Access Control Integrating View
E-Construct - The XML Cover Pages
E-Construct - The XML Cover Pages
Experiments with XML
Experiments with XML
About this course - Geogle by Kim Man Lui 雷剑文
About this course - Geogle by Kim Man Lui 雷剑文
Streilein
Streilein
Word Doc
Word Doc
Course Results Upload for SMART User
Course Results Upload for SMART User
Download
advertisement