|Applies To||RSA Product Set: Security Analytics, NetWitness Platform|
RSA Product/Service Type: Log Decoder, Concentrator, Broker
RSA Version/Condition: 10.6.x, 11.x
O/S Version: 6, 7
|Issue||"Meta not available on device" is displayed in RSA NetWitness investigations.|
When adding a custom log meta key to an RSA NetWitness device using the table-map.xml file, the error "Meta not available on device" is displayed in Investigation.
After editing the table-map.xml file and changing the value from "transient" to "none" and adding the key to the index-logdecoder.xml file, "Meta not available on device" is displayed for the custom value in Investigation.
At times, the standard table-map.xml and index-<service>.xml files have required updating, and those changes are introduced in the upgrade or patching process. When these new templates are introduced, new xml files are deployed, which overwrite existing xml files, thus taking the customized changes with them.
This usability issue prompted the introduction of a different method to add custom keys to the configuration. As of RSA Security Analytics 10.3, custom changes must be introduced in new custom xml files to be recognized.
To toggle data types from memory resident to disk, the value for "flags" must be toggled from "transient" to "none" in a new file called table-map-custom.xml. All index-<service>.xml changes must also be recorded in their own file, index-<service>-custom.xml. The table-map.xml and index-<service>.xml files should no longer be edited. Use only the custom xml model to make changes.
The adoption of this model introduces two distinct advantages: a) the customizations will no longer be overwritten during software upgrades, and 2) easing administration to manage customizations to xml files, as delta change management for customizations is no longer necessary.
Before beginning: All commands are executed as root from the command line of each device as noted to the specific device. All installations must execute steps for the A) Log Decoder and B) Concentrator, and sites with an optional broker must also execute C) Broker steps. Process restarts of the log decoder, concentrator and broker are required to recognize these changes. When in production, schedule accordingly.
I. Log decoder(s):
Execute these steps on all log decoders:
This change will now write the key disk. In order to see the value in Investigation, you must now do the following:
If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.
|Notes||The information herein superscedes articles previously written for SA v10.2 and below as published in KB articles How to enable non-displayed meta key values in RSA Security Analytics 10.2 and How to display an enVision key or a custom meta key in an RSA Security Analytics Investigation..|
|Legacy Article ID||a66037|