000035508 - Syntax errors in table-map-custom.xml on RSA Security Analytics Log Decoder

Document created by RSA Customer Support Employee on Oct 5, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035508
Applies ToRSA Product Set: NetWitness Logs and Packets
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.6.x
 
IssueWhen there is a syntax error in table-map-custom.xml you can experience a log decoder that will no longer start capture.
You will see this message when attempting to start capture:

"Failed to start capture: Failed to process message start for /decoder com.rsa.netwitness.carlos.transport.TransportExc eption: Decoder did not initialize correctly, please check the logs"

Health and Wellness will report alerts:

LogDecoder Event Queue > 80% stat Logdecoder EventProcessor/The number of events currently in the queue, expressed as a percentage of the queue capacity

And

LogDecoder Log Capture Pool Depleted

What is actually happening is logged in /var/log/messages:

[LogParse] [info] Loaded mappings from /etc/netwitness/ng/envision/etc/table-map.xml
NwLogDecoder[50027]: [Engine] [failure] Module logdecoder failed to load: CDATA sections must start with "<![CDATA["
NwLogDecoder[50027]: [Engine] [failure] Module logdecoder failed to load: Diagnostic information: Throw in function nw::XmlString nw::XmlDocument::parseCDATA(const XmlString&, bool)Dynamic exception type: boost::exception_detail::clone_impl<nw::XmlParseError>std::exception::what: CDATA sections must start with "<![CDATA["[boost::errinfo_at_line_*] = 2023[boost::errinfo_file_name_*] = /etc/netwitness/ng/envision/etc/table-map-custom.xml

 
CauseWe see from /var/log/messages there is an issue in the /etc/netwitness/ng/envision/etc/table-map-custom.xml file:  CDATA sections must start with "<![CDATA["
A commented line in .xml is a portion in the code that is not meant to be executed but describes what the configuration is doing and how it is being used:
Instead of seeing the proper commented syntax
<!-- ... >
We noticed the dashes were missing:
<! ... >
 
ResolutionReview the changes that have been made in table-map-custom.xml,  This also applies for a concentrator that will not start aggregation, you may consider reviewing the changes made to /etc/netwitness/ng/index-concentrator-custom.xml.
Restore back the changes that have been made in /etc/netwitness/ng/envision/etc/table-map-custom.xml and possibly in /etc/netwitness/ng/index-concentrator-custom.xml on the concentrator and re-evaluate the syntax and proper configuration.

Attachments

    Outcomes