000026986 - How to add custom meta keys for log collection to an RSA Security Analytics Log Collector

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026986
Applies ToRSA Security Analytics
RSA Security Analytics Log Collector
RSA NetWitness NextGen
IssueHow to add custom meta keys for log collection to an RSA Security Analytics Log Collector.
Resolution

The enVision log collection meta keys mapping information is stored in /etc/netwitness/ng/envision/etc/table-map.xml.


Making changes in that file could be overwritten by an ESU Update so it is better to put changes in a new file called /etc/netwitness/ng/envision/etc/table-map-custom.xml that should override the existing table-map.xml


A typical entry in table-map-custom.xml would look like the following:



<?xml version="1.0" encoding="utf-8"?>
<!--
<mappings>
                <mapping envisionName="envisionKeyName" nwName="SaKeyName" flags="Transient" envisionDisplayName="DisplayName"/>
</mappings>



Users then need to restart the nwlogdecoder service for changes to take effect.


 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa66616

Attachments

    Outcomes