000029754 - How to configure the RSA Security Analytics Archiver to aggregate the device.type meta key

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029754
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Archiver
RSA Version/Condition:
Platform: CentOS
O/S Version: EL6
IssueDespite device.type meta being in the list of MetaInclude  in Archiver -> Config -> General, it is not aggregated by default.
As a result, it will not be visible in the Archiver's meta list in the Reporting Engine rule builder. Manually specifying device.type in the Select statement will result in the following error when testing the Reporting Engine rule:
User-added image
ResolutionThe solution to this issue is to create an index-archiver-custom.xml file on the Archiver and define device.type in it, as shown in the example below.
<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
        <key description="Device Type" level="IndexValues" name="device.type" format="Text" valueMax="100000" />

After doing this, restart the Archiver, followed by the Reporting Engine, from the Security Analytics UI to apply the change.