000035774 - Custom feeds with CSV content are not matching meta values or displaying quotes correctly in RSA Security Analytics 10.6

Document created by RSA Customer Support Employee on Nov 23, 2017Last modified by RSA Customer Support Employee on Nov 25, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035774
Applies ToRSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Content, User Interface
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: EL6
IssueBecause custom feeds are case-sensitive, the feed will not tag the meta properly if the meta is in a different case than specified in the CSV file. Also, when a feed file with more than one set of double quotes is deployed, Adhoc feeds fail to deploy and recurring feeds deploy but do not make a match.
WorkaroundTo make the custom feed case-insensitive, the ignorecase Boolean value must be set to true within the MetaCallback tag in the XML file, for example:

<MetaCallback name="device" valuetype="Text" ignorecase="true">

Follow the steps that are documented in the article 000029517 entitled Custom feed is not being applied to all meta data in RSA Security Analytics.
Also, when a feed file that contains double quotes is deployed and double quotes are incorrectly displayed on the RSA Security Analytics UI, you can view the feed file in a text editor to check which string is actually going to be matched against strings in the log file. For example, if you have string “abc” that you want to match from a log file, then when you view the feed file in a text editor, it should also have “abc”. However, the RSA Security Analytics  User Interface will display these quotes as truncated for this given string in the custom feed.