000038088 - RSA NetWitness Live Feeds are not showing meta values for required meta keys n the Investigate page

Document created by RSA Customer Support Employee on Nov 14, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038088
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.2.0.0
Platform: CentOS
O/S Version: 7
 
IssueWhen Live Feed deployed to Log Decoder, Required meta keys in Feed details will not generate meta values. 

Example:
Below feed generates meta values for highlighted meta keys.
feed
 
TasksThis is due to multiple reasons.
  1. Feeds may not be deployed to Log decoder
  2. Meta keys are not defined in table-map.xml and index-concentrator.xml files.
  3. FeedParser meta keys are not enabled.
ResolutionPlease follow the below instructions to generate meta values.
  1. Verify if feeds deployed to Log Decoder using below commands in Log decoder putty.

    cd /etc/netwitness/ng/feeds/
    [root@BLRCSLogDecoder feeds]# ls -l
    total 260
    -rw-------. 1 root root    407 Oct 27 17:36 esmfeed.feed
    -rw-r--r--. 1 root root    133 Oct 27 17:36 esmfeed.feed-attr.xml
    -rw-r--r--. 1 root root   3936 Mar  8  2019 feed-definitions.xsd
    -rw-------. 1 root root    160 Oct 24 00:43 feed.tokens
    -rw-------. 1 root root 171088 Sep 24 22:40 investigation.feed
    -rw-r--r--. 1 root root    430 Sep 24 22:40 investigation.feed-attr.xml
    -rw-------. 1 root root    336 Sep 24 22:40 nwconst_c2_ips.feed
    -rw-r--r--. 1 root root    431 Sep 24 22:40 nwconst_c2_ips.feed-attr.xml
    -rw-------. 1 root root  59312 Oct 24 00:43 nwspamhaus_drop_list_ip.feed
    -rw-r--r--. 1 root root    440 Oct 24 00:43 nwspamhaus_drop_list_ip.feed-attr.xml

  2. Verify Log Decoder table-map.xml and Concentrator index-concentrator.xml has definitions for required meta keys. If this has to be defined, Please use 'Meta not available on device' is displayed in RSA Security Analytics investigations
  3. Navigate to LogDecoder->Config->General->Parsers Configuration.
    Expand + for FeedParser and make sure the required meta Enabled as below.
    parsfeed


     

Attachments

    Outcomes