Article Content
Article Number | 000012793 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Hybrid, Broker, All-in-One, NextGen, Investigator Platform: CentOS |
Issue | Meta key names are being truncated with error message "key exceeds maximum size of 16" in RSA Security Analytics. The /var/log/messages file reports an error similar to the following:
|
Cause | Items longer than 16 characters in the name field for meta key items may be be truncated in RSA Security Analytics Core Devices and RSA NetWitness NextGen appliances. Items longer than 16 characters in the name field for meta key items may alternatively cause the service to fail to load. RSA NetWitness NextGen versions prior to 9.8 store this information in the /etc/netwitness/9.0 directory. The key item definitions can be found in the following files:
In RSA NetWitness NextGen version 9.8 and in all versions of RSA Security Analytics, the information is stored in the /etc/netwitness/ng directory. The key item definitions can be found in the following files:
The following is an example of a key definition: <key description="Ethernet Source" level="IndexValues" name="eth.src" valueMax="16384"/> |
Resolution | In order to resolve the issue, the name value in the key definition must be changed to be less than 16 characters in length. The following commands may be used to examine the XML files in order to list the keys and their respective name lengths on RSA Security Analytics and RSA NetWitness NextGen 9.8 appliances:
The following command may be used to examine the XML files in order to list the keys and their respective name lengths on RSA NetWitness NextGen appliances with versions prior to 9.8:
|
Notes | The output of the commands above will look similar to the example below.
|
Legacy Article ID | a58655 |