Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000034084 - Error while trying to change the meta key format in index-concentrator-custom.xml or index-broker-custom.xml files in RSA Security Analytics

Document created by RSA Customer Support

on Sep 26, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 4Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000034084
Applies To	RSA Product Set: Security Analytics, NetWitness Logs and Packets RSA Product/Service Type: Core Appliances Platform: CentOS
Issue	When trying to override a meta key format by editing in the index-concentrator-custom.xml or index-broker-custom.xml files, nwconcentrator and nwbroker fails to start. and logs the below error message, Example: Want to change the meta key orig_ip format from Text to IPv4, The original line in the index-concentrator.xml and/or index-broker.xml looks: "<key description="Originating IP Address" level="IndexValues" name="orig_ip" format="Text"/>" Added the below line in index-concentrator-custom.xml or index-broker-custom.xml, "<key description="Originating IP Address" level="IndexValues" name="orig_ip" format="IPv4"/>" Restart nwbroker and/or nwconcentrator services on the appliances. # restart nwbroker or # restart nwconcentrator The below error message appears: Sep 23 16:18:11 p-rich-sa02c NwConcentrator[3171]: [Engine] [failure] Module concentrator failed to load: Diagnostic information: Throw in function nw::LanguageTokenPtr nw::Language::addToken(const nw::LanguageKey&, NwVariantFormat, const string&, nw::LanguageToken::TokenLevel, nw::uint32, nw::uint32, nw::uint32, nw::uint32)Dynamic exception type: boost::exception_detail::clone_implstd::exception::what: Cannot override format for orig_ip from Text to IPv4. Format changes are not allowed.[boost::errinfo_at_line_*] = 98 Sep 23 16:18:11 p-rich-sa02c NwConcentrator[3171]: [Engine] [failure] Module concentrator failed to load: Cannot override format for orig_ip from Text to IPv4. Format changes are not allowed.
Cause	Format attribute cannot be overridden in custom file.
Resolution	To overcome this issue, When updating the Format attribute it will have to be done in the index-concentrator.xml and/or index-broker.xml instead of index-concentrator-custom.xml or index-broker-custom.xml. Then restart the nwbroker and/or nwconcentartor services normally. # restart nwbroker or # restart nwconcentrator Note that these changes will be overwritten during the rebuilding, reinstall and upgrades, so it's very recommended to keep track of the changes done to these files.
Notes	Note that these changes will be overwritten during the rebuilding, reinstall and upgrades, so it's very recommended to keep track of the changes done to these files.

Attachments

Outcomes

0 Comments

Recommended Content