000034680 - How to index a new meta key on Archiver in RSA NetWtness

Document created by RSA Customer Support Employee on Feb 2, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000034680
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.x, 10.6.x
Platform: Linux
O/S Version: CentOS
Product Name: NetWitness for Logs and Packets
IssueUnlike other services, Archiver needs one more step in order to get a meta key indexed. 
ResolutionEven after updating the index-archiver-custom.xml file similar to the steps in the below KB article:

Meta not available on device' is displayed in RSA Security Analytics investigations
The following steps needs to be done from the GUI to get these meta indexed 
1- Administration -> Services -> Archiver -> config.
2- Stop the Archiver service.
User-added image
3- Edit the service and choose the needed meta to be indexed, then enter Archiver service username and password.
User-added image 
4-Click Apply and service should start again automatically.
 

Notes

At this point, this meta key will start to be indexed, old data will not be indexed.
If you wish to have this meta indexed on old data, Archiver re-indexing needs to be done.
 

Attachments

    Outcomes