000031266 - RSA Security Analytics - CIDR type search is not working for "orig_ip" Meta values

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031266
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.5.0.1
Platform: CentOS
O/S Version: 6
IssueWhen trying to query data using the meta orig_ip, it doesn't work if you use CIDR. For example "orig_ip=192.168.1.0/24" doesn't work
CauseThe meta orig_ip is not indexed as IPv4 by default.
ResolutionBy default the meta orig_ip is formatted using text format. To fix this we could change the type of format from the index-concentrator.xml file. To do that :-
1- SSH to the concentrator
2- Check the format of the orig_ip meta from the index-concentrator.xml :-  more /etc/netwitness/ng/index-concentrator.xml | grep -i orig
    
3- The default value should be like the below:-
<key description="Originating IP Address" level="IndexValues" name="orig_ip" format="Text"/>

4- Open the index-concentrator.xml file and change the value to match the below:-
<key description="Originating IP Address" level="IndexValues" name="orig_ip" format="IPv4"/>

5- Restart the nwconcentrator service by issuing the below command:- restart nwconcentrator

Attachments

    Outcomes