000026976 - How to enable non-displayed meta key values in RSA Security Analytics 10.2

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026976
Applies ToRSA Security Analytics
RSA Security Analytics 10.2
Security Analytics Log Decoder
IssueHow to enable non-displayed meta key values in RSA Security Analytics 10.2.
How do I enable non-displayed meta key values?
When a user looks at the collected log data in the Investigation module, they do not see some of the fields displayed even though there is data in the log messages for those meta keys. How do I change this?
Resolution
The Log Decoder uses a file called table-map.xml to associate the fields listed in each parser XML file to its corresponding meta key value. Each parser field/meta key mapping in the table-map.xml file includes a flags parameter that determines what happens to the field information once parsed. If the flags value is set to "Transient", any data parsed from the incoming event is stored in memory only and if the flags field is set to "None", parsed data is written to the disk.

Note: Only data written to disk can be pulled by the Concentrator and made available.

Assuming that your messages do contain information that is being extracted to an XML field, it is likely that the reason your meta values are not seen in the Investigation module is due to that meta key flags parameter being set to Transient in the table-map.xml.

For Security Analytics 10.2.x users, to change how the Log Decoder handles parsed data:

1. SSH into the Log Decoder as root.

2. Move to the correct folder:

     cd /etc/netwitness/ng/envision/etc

3. Open the table-map.xml file for editing:

     vi table-map.xml.

4. Look for the variable that you want to change.

5. Look at the flags parameter:

     - If the value is set to "Transient", the parsed data is stored in memory and never written to disk.

     - If the value is set to "None", we write the parsed data to disk.

    Make sure the flags parameter is set to "None".

6. Save the changes to the file and exit the editor.

7. Stop the Log Decoder service:

   stop nwlogdecoder

8. Start the Log Decoder service:

   start nwlogdecoder

The meta values should now be parsed and written to disk on the Log Decoder.

Although the parsed values are now being written to the Log Decoder and are available for retrieval, the Concentrator still does not know that it should retrieve the new fields and display them in the Investigation module. To change this behavior, you must edit a file called index-concentrator-custom.xml.

Note: index-concentrator.xml also exists, but should not be edited. Any changes should be made in index-concentrator-custom.xml.

To configure the additional meta values that the Concentrator should pull:

1. SSH into the Concentrator as root.

2. Move to the correct folder:

   cd /etc/netwitness/ng

3. Open the index-concentrator-custom.xml file for editing:

   vi index-concentrator-custom.xml.

4. Add the new meta key entry that you want to show up in Investigation view.

   Note: There are no exact steps here.

         Your best approach is to copy an existing entry from index-concentrator.xml that closely matches yours.

5. Save the changes to the file and exit the editor.

6. Stop the Concentrator service:

   stop nwconcentrator

7. Start the Concentrator service:

   start nwconcentrator

The new meta values should now be pulled from the Log Decoder and displayed in Investigation view under the Meta Key entry you added to index-concentrator-custom.xml.

Larger sites may include a broker that aggregates meta values from several concentrators. Similar to the changes made on the Concentrator, the Broker provides a file called index-broker-custom.xml to support new meta values retrieval.

To configure the additional meta values that the Broker should pull:

1. SSH into the Broker as root.

2. Move to the correct folder:

   cd /etc/netwitness/ng

3. Open the index-broker-custom.xml file for editing:

   vi index-broker-custom.xml.

4. Copy the same line you added to index-concentrator-custom.xml on the concentrator to this file.

5. Save the changes to the file and exit the editor.

6. Stop the Broker service:

   stop nwbroker

7. Start the Broker service:

   start nwbroker

The meta values should now be pulled from the Concentrator and displayed in Investigation view under the Meta Key entry you added to index-broker-custom.xml.
NotesThis article pertains to RSA Security Analytics 10.2 and below. For RSA Security Analytics 10.3 and higher, refer to the knowledgebase article "Meta not available on device" is displayed in RSA Security Analytics investigations.
Legacy Article IDa64890

Attachments

    Outcomes