000017855 - 'Meta not available on device' is displayed in RSA Security Analytics investigations

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017855
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder, Concentrator, Broker
RSA Version/Condition: 10.3.x, 10.4.x
Platform: CentOS
Issue"Meta not available on device" is displayed in RSA Security Analytics investigations.
When adding a custom log meta key to a Security Analytics device using the table-map.xml, the error "Meta not available on device" is displayed in Investigator
After editing table-map.xml and changing the value from "transient" to "none" and adding the key to index-logdecoder.xml,  "Meta not available on device" is displayed for the custom value in Investigator.
Cause

At times, the standard table-map.xml and index-<service>.xml files have required updating, and those changes are introduced in the upgrade or patching process. When these new templates are introduced, new xml files are deployed, which overwrite existing xml files, thus taking the customized changes with them.


This usability issue prompted the introduction of a different method to add custom keys to the configuration.  As of SA 10.3, custom changes must be introduced in new custom xml files to be recognized.


To toggle data types from memory resident to disk, the value for "flags" must be toggled from "transient" to "none" in a new file called table-map-custom.xml.  All index-<service>.xml changes must also be recorded in their own file, index-<service>-custom.xml. The table-map.xml and index-<service>.xml files should no longer be edited. Use only the custom xml model to make changes.


The adoption of this model introduces two distinct advantages: a) the customizations will no longer be overwritten during software upgrades, and 2) easing administration to manage customizations to xml files, as delta change management for customizations is no longer necessary.

Resolution

Before beginning: All commands are executed as root from the command line of each device as noted to the specific device.  All installations must execute steps for the A) Log Decoder and B)  Concentrator, and sites with an optional broker must also execute C) Broker steps.  Process restarts of the log decoder, concentrator and broker are required to recognize these changes.  When in production, schedule accordingly. 
The below steps exemplify the process using "Severity" as the custom key example.
 


I. Log decoder(s):


Execute these steps on all log decoders:


1. On the log decoder, data that is marked as "Transient" is memory resident and not written to disk, data that is set to "None" is parsed and written to disk.  In order to write meta, you must set the value to "None"


2. Issue the following command to enter the appropriate directory:  cd /etc/netwitness/ng/envision/etc


3. Locate the key you wish to use in the current table.map.xml file.  (vi hint: use the search feature in vi, <esc> /  then enter the word severity and hit return)


After locating the matching key, which by default is set to "Transient" as shown in the example below, the flag must be set to "None".


<mapping envisionName="severity" nwName="severity" flags="Transient" envisionDisplayName="Severity|SeverityLevel"/>



Save this key to a paste buffer but do not modify the key in this file.



4. In the same directory, create table-map-custom.xml by issuing the following command:  vi table-map-custom.xml


NOTE: This file is not on the system by default.


Add the key, changing the flags from "Transient" to "None".


The file with a single key will look similar to the following:


<?xml version="1.0" encoding="utf-8"?>
<mappings>
<mapping envisionName="severity" nwName="severity" flags="None" envisionDisplayName="Severity|SeverityLevel"/>
</mappings>



Save the file.  (vi hint: <esc> :wq!)



5. Restart the Log Decoder service with the commands below, or via the Security Analytics UI (preferred):


stop nwlogdecoder
start nwlogdecoder



This change will now write the key disk.  In order to see the value in the Investigator UI, you must now do the following:



II. Concentrator


1. Navigate to the appropriate directory with the following command:  cd /etc/netwitness/ng


2. Create or edit the file index-concentrator-custom.xml with the following command:  vi index-concentrator-custom.xml


3. Add the information below to include the key information for the custom meta, which is Severity in this example:


<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="Severity" level="IndexValues" name="severity" format="Text" valueMax="10000" />
</language>


NOTE:  Only the line in red should be added if the index-concentrator-custom.xml file has already been created and configured.


4. Restart the Concentrator service with the commands below, or via the Security Analytics UI (preferred):


stop nwconcentrator
start nwconcentrator



III OPTIONAL: Brokers -  these steps are required only for installations that employ a broker to aggregate data from multiple concentrators



1. Navigate to the appropriate directory with the following command:  cd /etc/netwitness/ng


2. Create or edit the file index-broker-custom.xml with the following command:  vi index-broker-custom.xml


3. Add the information below to include the key information for the custom meta, which is Severity in this example:


<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="Severity" level="IndexValues" name="severity" format="Text" valueMax="10000" />
</language>


NOTE:  Only the line in red should be added if the index-broker-custom.xml file has already been created and configured.


4. Restart the Broker service with the commands below, or via the Security Analytics UI (preferred):


stop nwbroker
start nwbroker


 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

NotesThe information herein superscedes articles previously written for SA v10.2 and below as published in KB articles How to enable non-displayed meta key values in RSA Security Analytics 10.2 and How to display an enVision key or a custom meta key in an RSA Security Analytics Investigation..
Legacy Article IDa66037

Attachments

    Outcomes