000017855 - 'Meta not available on device' is displayed in RSA NetWitness Platform investigations

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Oct 29, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017855
Applies ToRSA Product Set: Security Analytics, NetWitness Platform
RSA Product/Service Type: Log Decoder, Concentrator, Broker
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7
Issue"Meta not available on device" is displayed in RSA NetWitness investigations.

When adding a custom log meta key to an RSA NetWitness device using the table-map.xml file, the error "Meta not available on device" is displayed in Investigation.

After editing the table-map.xml file and changing the value from "transient" to "none" and adding the key to the index-logdecoder.xml file,  "Meta not available on device" is displayed for the custom value in Investigation.
Cause

At times, the standard table-map.xml and index-<service>.xml files have required updating, and those changes are introduced in the upgrade or patching process. When these new templates are introduced, new xml files are deployed, which overwrite existing xml files, thus taking the customized changes with them.



This usability issue prompted the introduction of a different method to add custom keys to the configuration.  As of RSA Security Analytics 10.3, custom changes must be introduced in new custom xml files to be recognized.



To toggle data types from memory resident to disk, the value for "flags" must be toggled from "transient" to "none" in a new file called table-map-custom.xml.  All index-<service>.xml changes must also be recorded in their own file, index-<service>-custom.xml. The table-map.xml and index-<service>.xml files should no longer be edited. Use only the custom xml model to make changes.



The adoption of this model introduces two distinct advantages: a) the customizations will no longer be overwritten during software upgrades, and 2) easing administration to manage customizations to xml files, as delta change management for customizations is no longer necessary.

Resolution

Before beginning: All commands are executed as root from the command line of each device as noted to the specific device.  All installations must execute steps for the A) Log Decoder and B) Concentrator, and sites with an optional broker must also execute C) Broker steps.  Process restarts of the log decoder, concentrator and broker are required to recognize these changes.  When in production, schedule accordingly. 

The below steps exemplify the process using "Severity" as the custom key example.
 



I. Log decoder(s):



Execute these steps on all log decoders:



  1. On the log decoder, data that is marked as "Transient" is memory resident and not written to disk, data that is set to "None" is parsed and written to disk.  In order to write meta, you must set the value to "None".
  2. Issue the following command to enter the appropriate directory:  

    # cd /etc/netwitness/ng/envision/etc

  3. Locate the key you wish to use in the current table.map.xml file.  (vi hint: use the search feature in vi, <esc> /  then enter the word "severity" and hit return)

    After locating the matching key, which by default is set to "Transient" as shown in the example below, the flag must be set to "None".




    <mapping envisionName="severity" nwName="severity" flags="Transient" envisionDisplayName="Severity|SeverityLevel"/>


    Save this key to a paste buffer but do not modify the key in this file.


  4. In the same directory, create table-map-custom.xml by issuing the following command:  

    # vi table-map-custom.xml


    NOTE: This file is not on the system by default.



    Add the key, changing the flags from "Transient" to "None".



    The file with a single key will look similar to the following:




    <?xml version="1.0" encoding="utf-8"?>
    <mappings>
    <mapping envisionName="severity" nwName="severity" flags="None" envisionDisplayName="Severity|SeverityLevel"/>
    </mappings>


    Save the file.  (vi hint: <esc> :wq!)


  5. Restart the Log Decoder service with the commands below, or via the RSA NetWitness UI (preferred):

  • SA 10.x: 

    # stop nwlogdecoder
    # start nwlogdecoder

  • NW 11.x: 

    # systemctl stop nwlogdecoder
    # systemctl start nwlogdecoder


This change will now write the key disk.  In order to see the value in Investigation, you must now do the following:




II. Concentrator



  1. Navigate to the appropriate directory with the following command: 

    # cd /etc/netwitness/ng

  2. Create or edit the file index-concentrator-custom.xml with the following command: 

    # vi index-concentrator-custom.xml

  3. Add the information below to include the key information for the custom meta, which is "Severity" in this example:

    <?xml version="1.0" encoding="utf-8"?>
    <language level="IndexNone" defaultAction="Auto">
    <key description="Severity" level="IndexValues" name="severity" format="Text" valueMax="10000" />
    </language>


    NOTE:  Only the highlighted line should be added if the index-concentrator-custom.xml file has already been created and configured.


  4. Restart the Concentrator service with the commands below, or via the RSA NetWitness UI (preferred):

  • SA 10.x: 

    # stop nwconcentrator
    # start nwconcentrator

  • NW 11.x: 

    # systemctl stop nwconcentrator
    # systemctl start nwconcentrator



III OPTIONAL: Brokers -  these steps are required only for installations that employ a broker to aggregate data from multiple concentrators



  1. Navigate to the appropriate directory with the following command: 


    # cd /etc/netwitness/ng

  2. Create or edit the file index-broker-custom.xml with the following command:  

    # vi index-broker-custom.xml

  3. Add the information below to include the key information for the custom meta, which is "Severityin this example:

    <?xml version="1.0" encoding="utf-8"?>
    <language level="IndexNone" defaultAction="Auto">
    <key description="Severity" level="IndexValues" name="severity" format="Text" valueMax="10000" />
    </language>


    NOTE:  Only the highlighted line should be added if the index-broker-custom.xml file has already been created and configured.


  4. Restart the Broker service with the commands below, or via the RSA NetWitness UI (preferred):

  • SA 10.x: 


    # stop nwbroker
    # start nwbroker

  • NW 11.x:  

    # systemctl stop nwbroker
    # systemctl start nwbroker


If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.

NotesThe information herein superscedes articles previously written for SA v10.2 and below as published in KB articles How to enable non-displayed meta key values in RSA Security Analytics 10.2 and How to display an enVision key or a custom meta key in an RSA Security Analytics Investigation..
Legacy Article IDa66037

Attachments

    Outcomes