Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000012793 - Meta key names are being truncated with error message 'key exceeds maximum size of 16' in RSA Security Analytics

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000012793
Applies To	RSA Security Analytics RSA Security Analytics Decoder RSA Security Analytics Log Decoder RSA Security Analytics Concentrator RSA Security Analytics Hybrid RSA Security Analytics Broker RSA Security Analytics All-in-One RSA NetWitness NextGen RSA NetWitness Investigator
Issue	Meta key names are being truncated with error message "key exceeds maximum size of 16" in RSA Security Analytics. The /var/log/messages file reports an error similar to the following: (W) 2010-Jul-17 18:57:48 [Index] The language key 'watchlist_file_fi' exceeds the maximum size of 16. The name was truncated to 'watchlist_file_f'.
Cause	Items longer than 16 characters in the name field for meta key items may be be truncated in RSA Security Analytics Core Devices and RSA NetWitness NextGen appliances. Items longer than 16 characters in the name field for meta key items may alternatively cause the service to fail to load. RSA NetWitness NextGen versions prior to 9.8 store this information in the /etc/netwitness/9.0 directory. The key item definitions can be found in the following files: index-decoder.xml index-concentrator.xml index-broker.xml index-investigator.xml (found in C:\ProgramData\NetWitness in Windows 7) In RSA NetWitness NextGen version 9.8 and in all versions of RSA Security Analytics, the information is stored in the /etc/netwitness/ng directory. The key item definitions can be found in the following files: index-decoder.xml index-decoder-custom.xml index-concentrator.xml index-concentrator-custom.xml index-broker.xml index-broker-custom.xml The following is an example of a key definition: <key description="Ethernet Source" level="IndexValues" name="eth.src" valueMax="16384" />
Resolution	In order to resolve the issue, the name value in the key definition must be changed to be less than 16 characters in length. The following commands may be used to examine the XML files in order to list the keys and their respective name lengths on RSA Security Analytics and RSA NetWitness NextGen 9.8 appliances: *grep -Po 'name=".?(?=")' /etc/netwitness/ng/index-<service>-custom.xml \| awk '{ print substr($0,7) " = " length(substr($0,7)) }' grep -Po 'name=".?(?=")' /etc/netwitness/ng/index-<service>.xml \| awk '{ print substr($0,7) " = " length(substr($0,7)) }'* The following command may be used to examine the XML files in order to list the keys and their respective name lengths on RSA NetWitness NextGen appliances with versions prior to 9.8: *grep -Po 'name=".?(?=")' /etc/netwitness/9.0/index-concentrator.xml \| awk '{ print substr($0,7) " = " length(substr($0,7)) }'** If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Notes	The output of the commands above will look similar to the example below. [root@NWAPPLIANCE1234 ng]# grep -Po 'name=".*?(?=")' /etc/netwitness/ng/index-concentrator.xml \| awk '{ print substr($0,7) " = " length(substr($0,7)) }' time = 4 service = 7 tcp.srcport = 11 tcp.dstport = 11 udp.srcport = 11 udp.dstport = 11
Legacy Article ID	a58655

Attachments

Outcomes

0 Comments

Recommended Content