000026356 - How to display an enVision key or a custom meta key in RSA Security Analytics Investigator 10.2 and below

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026356
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.2 and below
Platform: CentOS
O/S Version: EL5, EL6
IssueWhile there are several enVision keys that are displayed in SA Investigation by default, many also are not. This article is designed to assist SA administrators with exposing non-default enVision keys to Investigator in SA.
Resolution

To display an enVision key or a custom meta key in an RSA Security Analytics investigation, follow these steps below.


1. From a log decoder
10.3.2 or later
Add an existing enVision key (copy from /etc/netwitness/ng/envision/etc/table-map.xml)or a new custom key to /etc/netwitness/ng/envision/etc/table-map-custom.xml with the flags set to "None"
10.3.1 or prior
Change flags from "Transient" to "None" for an enVision key in /etc/netwitness/ng/envision/etc/table-map.xml
or
Add a new custom key to /etc/netwitness/ng/envision/etc/table-map.xml with the flags set to "None"
e.g.
<mapping envisionName="user_lname" nwName="lastname" flags="None"/>
<mapping envisionName="custom_key" nwName="custom.key" flags="None"/>
Note: Make sure that /etc/netwitness/ng/envision/table-map.xml is not present as this will override /etc/netwitness/ng/envision/etc/table-map.xml or /etc/netwitness/ng/envision/etc/table-map-custom.xml
2. Restart the log decoder service for the changes to take effect.
3. From the concentrator that aggregates data from the above log decoder, open /etc/netwitness/ng/index-concentrator.xml and check if the nwName keys from Step 1 (e.g. lastname or custom.key) already exist with the index level "IndexKeys" or "IndexValues". If true, the rest of the steps can be skipped.
If the keys do not exist or the index level is set to "IndexNone", move on to the Step 4.
4. From the same concentrator, open /etc/netwitness/ng/index-concentrator-custom.xml and add the nwName keys with the index level set to "IndexVaules" or "IndexKeys" (see the knowledgebase article entitled Difference between IndexValues and IndexKeys in RSA Security Analytics and RSA NetWitness NextGen for more information on IndexValues and IndexKeys).
e.g.
<key description="User's Last Name" level="IndexValues" name="lastname" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="Custom Key" level="IndexValues" name="custom.key" format="Text" valueMax="100000" defaultAction="Open"/>
5. Restart the concentrator service for the changes to take effect.
Once the above steps are followed, Investigation will display the meta key and its value for the newly collected data.
NOTE: If the environment has a broker that aggregates from multiple concentrators, ensure that any changes made to index-concentrator-custom.xml are also applied to other concentrators.

NotesThis article is relevant to RSA Security Analytics 10.2 and below.  For RSA Security Analytics 10.3 and above, refer to the article entitled 'Meta not available on device' is displayed in RSA Security Analytics investigations.
Legacy Article IDa64628

Attachments

    Outcomes