Hi,
I was wondering if anyone could explain me what's the order for service restarting (Log Decoder, Log Collector, Concentrator, Broker¿?)
And what other files (index-concentrator‐custom.xml or index-logdecoder‐custom.xml) should be modify for this case scenarios:
1) Adding new metadata in table-map-custom.xml or index-logdecoder‐custom.xml or index-concentrator‐custom.xml files
2) If I create a Custom Feed, which file shoud I need to update in order to show metadata within Investigation/Navigate screen?
3) If I deploy an EnVision UDS, which file shoud I need to update in order to show metadata within Investigation/Navigate screen?
4) Finally. What's the difference between index-logdecoder‐custom.xml and index-decoder‐custom.xml ?
Frankly I don't get when to update an xml file (...and which one) and when to restart the services and in what order.
Actually, I'm restarting all services at once and if I add some metadata in, for example, index-logdecoder‐custom.xml I also add it to index-concentrator‐custom.xml and viceversa.
Thank you all in advance for your responses.
Best regards.
Hi Leonardo,
table-map-custom.xml- File used for defining meta key for parsing the meta values. This file exists in Logdecoder.
index-logdecoder‐custom.xml- File used for indexing the meta values for showing up in the investigation page against logdecoder. But logdecoder focuses only on parsing. But not designed for indexing. So, defining values in this file is not recommended.
index-concentrator‐custom.xml- File used for indexing the meta values for showing up in the investigation page against Concentrator.
index-logdecoder‐custom.xml (located in Logdecoder) and index-decoder‐custom.xml (located in Packetdecoder)
How to edit all these files explained in below KB.
000017493 - Enable Parsed Meta Keys in RSA NetWitness Platform That Do Not Currently Show In Investigation
Cheers,
Sravan