000032470 - Unable to investigate on a meta value even when the value exists when looking at session in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032470
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
IssueThe following symptoms are seen:
  • When investigating, the meta is shown when but when you click on the green number no sessions are shown.
  • A large number of unique values exist in the meta key
  • In /var/log/messages on the concentrator the following message will be seen:
Jan 27 10:35:26 logconc NwConcentrator[2638]: [Index] [warning] Index key event.desc has reached max capacity of 1000 values and will ignore new values for this slice.

In this case the meta key event.desc is full and cannot contain any more values in this index slice as the maximum number of unique values has been reached.

The issue with meta being seen in the session but not being able to investigate on, is often due to the number of unique meta key values filling up beyond the "Value Max Parameter" specified in the index.
The Value Max parameter in the index-concentrator.xml or index-concentrator-custom.xml determines the number of unique values that the meta key can hold per index slice. By default an index slice gets created every 8 hours, or if it has been configured every 600 Million Sessions. 
If for example your meta key holds 1000 values, then additional unique values will not be indexed, which means that you cannot click through to them when investigating. 
The values can be viewed though when you look at the event session view. 
The solution to this it one of the following: 
1) If the values stored in the metakey are as desired, then increase the value max setting in the index-concentrator-custom.xml for this meta key. Restart the concentrator service for the changes to then take effect. 
2) If the values in the metakey are not desired - perhaps there is a lot of misparsed information or other information being stored in the this metakey, then the best approach is to identify the source of this misparsed information and then correct it. This might for example involve updating a parser.  An example of misparsed information can be seen here:
User-added image

Here we see that the event description key is holding a lot of unique values, that are essentially similar. The values are of the following form:

event.desc = 'postfix/postdrop[936]: warning: mail_queue_enter: create file maildrop/170032.936: no space left on device'

The parser should be updated so that these messages are broken down into constituent parts.
A more appropriate event description would perhaps be "no space left on device".
This would then prevent the event description meta key filling up with values that we are not interested in.


NotesMore information on customising the index can be found here:
For an explanation of index slices see the topic of Index Saves here:
More information on the index can be found here.