000032150 - How to increase the Archiver MetaInclude Max Capacity in RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000032150
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Archiver
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
 
IssueWhen adding additional Metakeys on the Archiver appliance from the MetaInclude column under Config view - 'General' tab the below error shows up:
User-added image
This is because the default MetaInclude max capacity is 1024 characters on the Archiver..
ResolutionTo increase the length of the field please do the following. 



1) SSH to the Achriver 


2)  stop nwarchiver
3) 
cp /etc/netwitness/ng/NwArchiver.cfg /etc/netwitness/ng/NwArchiver.cfg.backup 


4) Edit the file to find the following line: 
 
<config getRoles="archiver.manage" instance="device.config" maxLength="1024" name="options" prettyName="Options" setRoles="archiver.manage" value="metaInclude=action,alert.id,alias.host,device.class,device.ip,device.type,ec.activity,ec.outcome,ec.subject,ec.theme,email,email.src,event.cat.name,event.desc,event.source,event.time,event.type,event.user,filename,group,ip.addr,ip.dst,ip.src,lc.cid,logon.type,msg.id,obj.name,obj.type,policy.name,process,result.code,user.dst,user.src,username,virusname,medium,time,sessionid,size,payload"/>



Note here that the maxLength value is 1024.



Change the max Length Field to 2048 (or another multiple of 2 as appropriate) 



The line would then appear as follows:
 

<config getRoles="archiver.manage" instance="device.config" maxLength="2048" name="options" prettyName="Options" setRoles="archiver.manage" value="metaInclude=action,alert.id,alias.host,device.class,device.ip,device.type,ec.activity,ec.outcome,ec.subject,ec.theme,email,email.src,event.cat.name,event.desc,event.source,event.time,event.type,event.user,filename,group,ip.addr,ip.dst,ip.src,lc.cid,logon.type,msg.id,obj.name,obj.type,policy.name,process,result.code,user.dst,user.src,username,virusname,medium,time,sessionid,size,payload"/>


5) Add additional keys onto the end of this line as appropriate or add the additional keys from the
    SA UI - Administration - Archiver appliance - locate the MetaInclude column under Config view -
    'General' tab and select the additional metakeys to include in the Archiver.

6) start the nwarchiver service.

Attachments

    Outcomes