000026912 - How to add custom meta keys in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 27, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026912
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Core services
RSA Version/Condition: 10.6.x, 11.x
IssueHow to add custom meta keys in RSA NetWitness?
What is the process of adding custom language keys in RSA NetWitness?
TasksIn RSA NetWitness, the default configuration of meta keys is stored in the index-<service>.xml files (for example, index-concentrator.xml) on the NetWitness appliances.

The contents of these default files shouldn't be manually changed as a new version of these files may be deployed during version upgrades.

Beginning from RSA NetWitness 10.0 a custom XML file, index-<service>-custom.xml (for example, index-concentrator-custom.xml) can be created in the same directory as the default file.

The custom XML file will not be modified or overwritten during a version upgrade.

Customization changes of the default settings, or adding new custom meta keys should be added to the custom XML file.
ResolutionHow to add custom meta keys in RSA NetWitness Platform

Changes to default meta keys' configuration and the addition of new custom meta keys is made to the custom XML file, index-<service>-custom.xml which will be in the /var/netwitness/ng directory.

For example,
Decoder service has index-decoder-custom.xml
Log Decoder service has index-logdecoder-custom.xml
Concentrator service has index-concentrator-custom.xml

The index-<service>-custom.xml file requires the basic xml definition statements at the top and bottom of the file to work correctly, so ensure these lines exist when adding new keys.

If these lines are not present in the XML file, the service will not start and errors will be generated in the /var/log/messages file.

This example shows an XML file with no custom meta keys and includes just the default xml file format with some comment lines.
User-added image

This example shows an XML file with a single custom meta key for "Destination E-Mail Address", settings are set to "IndexValues" with a format of "Text" and a valueMax of 2500000.
User-added image

To save and deploy the new setting on the NetWitness appliance, select the Apply button.

The XML file can also be deployed to other NetWitness appliances by clicking on the Push button and selecting the destination NetWitness appliance.  Only deploy the XML file to a NetWitness appliance that runs that service.

Note: Any entries in the index-<service>-custom.xml file will replace any similar entry in the default index-<service>.xml files.
So, if want to change any default meta key in the standard index-<service>.xml file (for example change a IndexKeys setting to IndexValues) simply copy the line for that meta key entry into the custom XML file and change the settings for that meta key there.

If you have any questions about the information above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa63114