The table mapping file provided by RSA, table-map.xml, is a very significant part of the Log Decoder. It is a meta definition file which also maps the keys used in a log parser to the keys in the metadb.
Do not edit the table-map.xml file. If you want to make changes to the table-map, make them in the table-map-custom.xml file. The latest table-map.xml file is available on Live and RSA updates it as required. If you make changes to the table-map.xml file, they can be overwritten during an upgrade of service or content.
In the table-map.xml, some meta keys are set to Transient and some are set to None. To store and index a specific meta key, the key must be set to None. To make changes to the mapping, you need to create a copy of the file named table-map-custom.xml on the Log Decoder and set the meta keys to None.
For meta key indexing:
- When a key is marked as None in the table-map.xml file in the Log Decoder, it is indexed.
- When a key is marked as Transient in the table-map.xml file in the Log Decoder, it is not indexed. To index the key, copy the entry to the table-map-custom.xml file and change the keyword flags="Transient" to flags="None".
- If a key does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file in the Log Decoder.
If you do not have a table-map-custom.xml file on the Log Decoder, create a copy of table-map.xml and rename it to table-map-custom.xml.
To verify and update the table mapping file:
- In the Security Analytics menu, select Administration > Services.
- In the Services grid, select a Log Decoder and > View > Config.
- Click the Files tab and select the table-map.xml file.
- Verify that the flags keywords are set correctly to either Transient or None.
If you need to change an entry, do not change the table-map.xml file since an upgrade can overwrite it. Instead, copy the entry, select the table-map-custom.xml file and change the flags keyword from Transient to None.
For example, the following entry for the hardware.id meta key in the table-map.xml file is not indexed and the flags keyword shows as Transient:
<mapping envisionName="hardware_id" nwName="hardware.id" flags="Transient"/>
To index the hardware.id meta key, change the flags keyword from Transient to None in the table-map-custom.xml:
<mapping envisionName="hardware_id" nwName="hardware.id" flags="None"/>
- If an entry does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file.
- After making your changes to the table-map-custom.xml file, click Apply.