000032359 - Changing ESA Variable Type in RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032359
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.5.x
IssueIf a session contains more than 1 value for a particular meta, only the first value gets read by ESA (given that the type of that particular meta is String)
TasksChanging the meta type from String to String Array so that all the values of that particular meta in a single session are read by ESA.
ResolutionAssuming you want to change the ‘ip_addr’ meta type, which is by default string to string array. 
SSH to ESA Appliance
Navigate to /opt/rsa/esa/conf and edit the below files
 
1. eplModuleManager.json
 
Change the value of 
‘ip_addr’ string to  ‘ip_addr’ string[]
 
2. nextgenAggregationSource.json
Locate the below line
{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username"}}
Add the ‘ip_addr’ meta after username meta so that the line finally looks like the below: 
 
{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username,ip_addr"}}
 
Finally restart the ESA service (service rsa-esa restart).

Attachments

    Outcomes