Implement Non-Standard Meta Keys Used in ESA Rules

Overview

This topic tells you how to implement any non-standard data keys used in ESA alerts after you download them from Live.

Update XML Files

You need to update the table-map-custom.xml file on the Log Decoder and the index-concentrator-custom.xml file on the Concentrator.

Note: Do not update table-map.xml nor index-concentrator.xml files, as your changes will be overwritten when you update. Always make your edits to table-map-custom.xml and index-concentrator-custom.xml.

To update the table-map-custom.xml file:

  1. In the NetWitness menu, select ADMIN > Services.
  2. Open the file as follows:

    1. In the Services grid, select a Log Decoder.
    2. From the Actions menu, select View > Config, then select the Files tab in the Services Config view.
    3. Select table-map-custom.xml from the drop-down list.

      The table-map-custom.xml file opens in edit mode.

  3. In the <mappings> section of the file, add an entry for the key, and set the value to None. For example, to add myNewKey, you would add the line shown in bold:

    <mappings>
    <!-- This is an example entry to use as a reference. Everything must be inside the toplevel element "mappings". -->
    <!-- <mapping envisionName="bytes" nwName="bytes" flags="None" format="UInt64" nullTokens="(null)|-"/> -->

    <mapping envisionName="myNewKey" nwName="myNewKey" flags="None" />

    </mappings>

  4. Click Apply to save your changes.
  5. Restart the Log Decoder.

To update the index-concentrator-custom.xml file:

  1. In the NetWitness menu, select ADMIN > Services.
  2. In the Devices (or Services) grid, select the Concentrator.
  3. In the toolbar, select View > Config, then select the Files tab.

    The Device Config view is displayed with the Concentrator Files tab open.

  4. Select index-concentrator-custom.xml from the drop-down list.

    The index-concentrator-custom.xml file opens in edit mode.

  5. Insert the non-standard meta key parameter strings and click Apply. For example:

    <key description="my new parser meta key" format="Text" level="IndexKeys" name="myNewKey"/>

  6. Restart the Concentrator.