Community,
I am looking to deploy the Hunt and Investigation Feeds. The instructions talk about adding meta keys to the concentrator, but no details are given on how to add those meta keys to the decoders as well. Aren't we supposed to add them in both locations? Below I have added a link to the Investigations article
Thanks
Nope meta keys just have to be added on the concentrator
Sent from my iPhone
How does the decoder know where to put the meta it generates if it doesn't have keys?
Actually, when deploying parsers or feeds, the decoder reads them and if it see's that the parser or feed is writing to a meta key that the decoder does not already have, it will automatically add it. This has been the case since 9.8.x I think.
Therefore, you would only need to add the meta keys to the concentrator if you wish to index and query against that meta.
You can open a shell to the decoder, run tail -f /var/log/messages and then deploy the feed. You should see the meta key get created.
Chris
First really great answer, but it leads me to a follow up question... In certain cases where white listing is used the meta generated may not be accessible via investigation since the new keys need to have access granted to them. Since they are generated as a result of the loading of the feed or parser are these keys automatically added to the index-decoder-custom.xml so they can be read as new keys to secure?
If you want to set permissions on the new meta keys, you will have to manually add them as IndexNone to the index-decoder-custom.xml. Otherwise the key will not be shown within the service's "Security" section to blacklist or whitelist.
Andreas
No, they are not added to the index-decoder-custom.xml.
That file would only be used if I needed to manually add a meta key that wasn't created by a parser or a feed. I used to only do that for application rules going into a custom meta key's.
However, there are ways to have those keys for application rules automatically added to the index without having to modify the custom index file. Instead of selecting a key to write meta for an application rule, you could just write the name of the custom key.
Chris
Sent from my mobile device
No, they are not added to the index-decoder-custom.xml.
That file would only be used if I needed to manually add a meta key that wasn't created by a parser or a feed. I used to only do that for application rules going into a custom meta key's.
However, there are ways to have those keys for application rules automatically added to the index without having to modify the custom index file. Instead of selecting a key to write meta for an application rule, you could just write the name of the custom key.
Chris
Sent from my mobile device