This topic provides important information and guidelines for configuring service custom index files, which are editable in the Service Config view > Files tab.
The index file, along with other configuration files, controls operation of each core service. Accessing the index file through the Service Config view in Security Analytics opens the file in a text editor, where you can edit the file.
Note: Only Administrators with a thorough and comprehensive understanding of Core service configuration are qualified to make changes to an Index file, which is one of the central configuration files for the appliance service. Changes made should be consistent across all Core services. Invalid entries or a misconfigured file can prevent the system from starting and can require the assistance of RSA Support to bring the system back into a working state.
These are the index files:
- index-broker.xml, index-broker‐custom.xml
- index-concentrator.xml, index-concentrator‐custom.xml
- index-decoder.xml, index-decoder‐custom.xml
- index-logdecoder.xml, index-logdecoder‐custom.xml
- index-archiver.xml, index-archiver‐custom.xml
- index-workbench.xml, and index-workbench‐custom.xml
Index and Custom Index Files
All customer-specific index changes are made in index-<service>-custom.xml. This file overrides any settings in index-<service>.xml, which is solely controlled by RSA.
Note: Customers using Security Analytics versions prior to 10.1 had to customize index files by editing and saving the index file, and this method relied on Security Analytics creating a backup of the current index file upon restart of the service. Using this process, the current file is overwritten and a backup file is created. The toolbar option provides a way to revert to a backup version of the index file.
During software upgrades, index-<service>.xml is not preserved, as it is overwritten by any changes made by the RSA content team. However, a backup is made in the same directory and named index-<service>.xml.rpm_pre_save. The index-<service>.xml.rpm_pre_save file can be referenced if needed to create the customer-specific index-<service>-custom.xml file, which needs to be done only once. Going forward, the new system allows RSA to make index changes without modifying existing customer specific changes.
The custom index file, index-<service>‐custom.xml, allows creation of custom definitions or overrides of your own language keys that are not overwritten during the upgrade process.
- Keys that are defined in index-<service>‐custom.xml replace the definitions found in index-<service>.xml.
- Keys that are added to index-<service>‐custom.xml and not found in index‐<service>.xml are added to the language as a new key.
Some common applications for editing the index file are:
- To add new custom meta keys to add new fields to the Security Analytics user interface.
- To configure protected meta keys as part of a data privacy solution as described in the Data Privacy Management guide.
- To adjust the Security Analytics Core database query performance as described in the Security Analytics Core Database Tuning Guide.
Note: For Security Analytics 10.1 and above, there is no need to edit the Broker custom index file, except for data privacy deployment scenarios and system roles. The Broker automatically merges the keys of all aggregate services to create a comprehensive language. The fallback language defined in index‐broker.xml and index‐broker-custom.xml is used if there are no services or if all services are offline.
Caution: Never set the index level to IndexKeys or IndexValues on a Decoder if you have a Concentrator or Archiver aggregating from the Decoder. The index partition size is too small to support any indexing beyond the default time meta key.