000017493 - Enable Parsed Meta Keys That Do Not Currently Show In Investigation

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017493
Applies ToLog Decoder
Concentrator
Broker
Security Analytics 10.2.x
Security Analytics 10.3.x
Meta
Transient
IssueEnable Parsed Log Decoder Meta Keys That Do Not Currently Show In Investigation
When reviewing log messages, I see that there is a lot of information in the messages that I would expect to show up parsed as Meta values in the Investigation module, but does not. Is there a way to modify Security Analytics to parse this information?
Resolution
To reduce overhead and improve performance, Security Analytics sets some common meta values to a state where they are processed (to support alerts, for example), but not be written to disk. As a result, when the Concentrator attempts to pull those values, because nothing was written to disk on the Log Decoder, there is no information to retrieve.

To display meta keys that are parsed but do not currently show in Investigation view, you need to edit the correct files on each node in your Security Analytics infrastructure.

Note: There are two slightly different procedures for the Log Decoder only based on the Security Analytics version. Follow only one of these for the correct Log Decoder version.

Log Decoder (10.2.x):

  1. SSH into the Log Decoder as root.

  2. Move to the correct directory:

     cd /etc/netwitness/ng/envision/etc

  3. Open the table-map.xml file for editing:

     vi table-map.xml

  4. Look for the variable that you want to change.

  5. Look at the flags parameter:

     - If the value is set to "Transient", the parsed data is stored in memory and never written to disk.

     - If the value is set to "None", we write the parsed data to disk.

     Make sure the flags parameter is set to "None".

     Save the file and exit vi.

  6. Stop the Log Decoder service:

     stop nwlogdecoder

  7. Start the Log Decoder service:

     start nwlogdecoder

The meta values should now be parsed and written to disk on the Log Decoder.

Log Decoder (10.3.x):

  1. SSH into the Log Decoder as root.

  2. Move to the correct directory:

     cd /etc/netwitness/ng/envision/etc

  3. Create a new file called table-map-custom.xml file for editing.

  4. Open the table-map.xml file for editing:

     vi table-map.xml

  5. Look for the variable that you want to change.

  6. Copy the entire line that contains your variable. You are going to add this same line to the new table-map-custom.xml file you created in step 3.

  7. Open table-map-custom.xml and paste in the line you just copied.

  8. Look at the flags parameter:

     - If the value is set to "Transient", the parsed data is stored in memory and never written to disk.

     - If the value is set to "None", we write the parsed data to disk.

     Make sure the flags parameter is set to "None".

     Save the file and exit vi.

  9. Stop the Log Decoder service:

     stop nwlogdecoder

 10. Start the Log Decoder service:

     start nwlogdecoder

The meta values should now be parsed and written to disk on the Log Decoder.

Concentrator:

  1. SSH into the Concentrator as root.

  2. Move to the correct directory:

     cd /etc/netwitness/ng

  3. Open the index-concentrator-custom.xml file for editing:

     vi index-concentrator-custom.xml

  4. Add the new meta key entry that you want to show up in Investigation view.

     Note: There are no exact steps here. Your best approach is to copy an existing entry that closely matches yours from index-concentrator.xml.

  5. Stop the Concentrator service:

     stop nwconcentrator

  6. Start the Concentrator service:

     start nwconcentrator

The meta values should now be pulled from the Log Decoder and displayed in Investigation view under the Meta Key entry you added to index-concentrator-custom.xml.

Broker (if applicable):

  1. SSH into the Broker as root.

  2. Move to the correct directory:

     cd /etc/netwitness/ng

  3. Open the index-broker-custom.xml file for editing:

     vi index-broker-custom.xml

  4. Copy the same line you added to index-concentrator-custom.xml on the concentrator to this file.

  5. Stop the Broker service:

     stop nwbroker

  6. Start the Broker service:

     start nwbroker

The meta values should now be pulled from the Concentrator and displayed in Investigation view under the Meta Key entry you added to index-broker-custom.xml.
Legacy Article IDa67970

Attachments

    Outcomes