000026912 - How to add custom meta keys in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 29, 2020
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000026912
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: NetWitness Core services
RSA Version/Condition: 10.6.x, 11.x
IssueHow to add custom meta keys in RSA NetWitness?
What is the process of adding custom language keys in RSA NetWitness?
After adding custom meta keys in my concentrators, I can see the custom meta keys show up when Investigating directly using the concentrators, but why is the broker rendering errors in Investigations such as below:

User-added image
TasksIn RSA NetWitness, the default configuration of meta keys is stored in the index-<service>.xml files (for example, index-concentrator.xml) on the NetWitness appliances.

The contents of these default files should not be manually changed as a new version of these files may be deployed during version upgrades.

Beginning from RSA NetWitness 10.0 a custom XML file, index-<service>-custom.xml (for example, index-concentrator-custom.xml) can be created in the same directory as the default file.

The custom XML file will not be modified or overwritten during a version upgrades.

Customization changes of the default settings, or adding new custom meta keys should be added to the custom XML file.

Add the custom meta key lines or meta key modifications only to the index-concentrator-custom.xml file. No need to edit or add on the index-<other services>-custom.xml files. 
The broker does not have their own index nor database, it only gets its unified index keys from the concentrators and/or brokers below it.
To ensure that the broker gets a unified index (language keys), edit (using the UI) and push the modified index-concentrator-custom.xml file to all the rest of the concentrators.  Restart the concentrator services or initiate an index save on each (using concentrator>view>explore>index right-click-properties, select save in the drop-down and send) for the service to pick up the modified index language keys.
It is important for all concentrators to have a single uniform index-concentrator-custom.xml file so it will have a unified language definition that will in turn be picked up the broker.

There are times that you may also need to do an index reset on the broker to have it pick up immediately the new index language keys from its concentrators.
To initiate an index reset on the broker, go to Services>broker>view>explore>broker right-click-properties, select reset in the drop-down, enter index=1 in the Parameters and send.
ResolutionHow to add custom meta keys in RSA NetWitness Platform

Changes to default meta keys' configuration and the addition of new custom meta keys is made to the custom XML file, index-<service>-custom.xml which will be in the /var/netwitness/ng directory.

For example,
Decoder service has index-decoder-custom.xml
Log Decoder service has index-logdecoder-custom.xml
Concentrator service has index-concentrator-custom.xml

The index-<service>-custom.xml file requires the basic xml definition statements at the top and bottom of the file to work correctly, so ensure that these lines exist when adding new keys.  By default, these xml definition statements and some comments (instructions) are already written for you in the file, do not delete them, just add your custom keys lines as directed on the file.
If these lines are not present in the XML file, the service will not start and errors will be generated in the /var/log/messages file.

This example shows an XML file with no custom meta keys and includes just the default xml file format with some comment lines.
User-added image

This example shows an XML file with a single custom meta key for "Destination E-Mail Address", settings are set to "IndexValues" with a format of "Text" and a valueMax of 2500000.
User-added image

To save and deploy the new setting on the NetWitness appliance, select the Apply button.

The XML file can also be deployed to other NetWitness appliances by clicking on the Push button and selecting the destination NetWitness appliance.  Only deploy the XML file to a NetWitness appliance that runs that service.

Note: Any entries in the index-<service>-custom.xml file will replace any similar entry in the default index-<service>.xml files.
So, if want to change any default meta key in the standard index-<service>.xml file (for example change a IndexKeys setting to IndexValues) simply copy the line for that meta key entry into the custom XML file and change the settings for that meta key there.

If you have any questions about the information above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa63114