000033597 - How To Add Additional Meta Keys to the RSA NetWitness Archiver Service

Document created by RSA Customer Support Employee on Aug 2, 2016Last modified by RSA Customer Support on Oct 17, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033597
Applies ToRSA Product Set: RSA NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Archiver, Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
IssueHow to add additional meta keys to Archiver if it is required.

Editing defined meta keys in index-archiver-custom.xml through UI:

  1. Select Administration > Services > {select archiver service} > under Actions select View > Config
            User-added image
  1. Select Files tab and select index-archiver-custom.xml from drop down box
           User-added image
  1. Add required meta to index-archiver-custom.xml and press Apply
                   Example meta: category
            User-added image

Alternatively, from SSH you can edit /etc/netwitness/ng/index-archiver-custom.xml directly.

10.6.X Product Documentation Reference - https://community.rsa.com/docs/DOC-83506

Restarting Archiver Service

Purpose: This is to make new custom meta keys available to service.

  1. Stop aggregation from within the Web UI (to close open database files)

Select Administration > Services > <select archiver service> > under Actions select View > System
Select the 'Stop Aggregation' button

  1. Restart the Archiver service

When Start Aggregation button is enabled, select 'Shutdown Service' button (which will restart the Archiver service)

Adding Additional Meta Keys to be aggregated from Log Decoder (metaInclude) 

  1. Select Administration > Services > <select archiver service> > under Actions select View > Config
  2. On the General Tab use the 'Stop Aggregation' button
  3.  Select the decoder in Aggregated services and edit
             User-added image
  1. Find the new meta key in the Meta Include tab and select

             User-added image
  1. If you are unable to find the meta in the Meta Include tab, you may need to restart jettysrv on the NetWitness Server.

10.6.X Product Documentation Reference - https://community.rsa.com/docs/DOC-83105
NotesArchivers are not intended to index the same number of meta keys as Concentrator services. By default around 41 meta keys are indexed from Log Decoders.

The Product Documentation contains the following warning advising that the more meta keys are indexed by the Archiver, the lower the session retention time (as metadb is larger) and the more resources will be required for storage and use of these meta keys.

Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.
Source: 10.6.5 Product Documentation Reference - https://community.rsa.com/docs/DOC-83105