Is there any way to make an ESA rule search for a particular word that is not parsed into meta key?
For ESA, the source will be Concentrator & Concentrator stores Indexes of Meta. So, for ESA to fire an alert, it has to match the against the Data in the Meta.
In your scenario are you seeing the data not being parsed at all into a Meta OR it is being parsed with other values in a Meta?. Also what version of NW are you using?.
We have two NW. One is with 11.2 and the other is with the 11.1. My problem is with the disposition value. In the version 11.2 the concentrator got the meta key, but its not parsing the reference log ID 7036. In the version 11.1 the disposition key does't show up. I already updated the table-map.xml and the index-decoder-custom.xml and restarted both services but they are not working. What do you suggest?
UPDATE: now its working on 11.1 and its not on 11.2. And they have the same custom meta keys.
Can you please share the custom meta key line that you have added in both table-map & index-concentrator-custom files?.
table-map: <mapping envisionName="disposition" nwName="disposition" flags="Transient" format="Text"/>
<!-- *** Please insert your custom keys or modifications below this line *** -->
<key description="disposition" level="IndexValues" name="disposition" format="Text" valueMax="10000" />
Please confirm if you have added below line in your table-map.xml file manually? and this line is shared from the 'table-map.xml OR table-map-custom.xml file?.
Yes, i add this line in my table-map.xml. The line i shared is from table-map.xml.
The best practice is not to make any changes in the default 'table-map.xml' file. Because when you upgrade your host, any changes to the default files will be replaced.
So, please copy the below line to you 'table-map-custom.xml' file & restart nwlogdecoder service with this command 'systemctl restart nwlogdecoder'.
<mapping envisionName="disposition" nwName="disposition" flags="None" format="Text"/>
Also, please check if you have added the below line in your 'index-concentrator-custom.xml' file.
Did not work, In the tab investigate the meta key "dispostion" is there but no data parsed. And we got logs that should be parsed.
Sorry for the delay, was held up in few things.
The New Meta will show up in Investigation with values, when it receives new logs & it also takes sometime to reflect.
Can you check again & let me know if the Disposition meta is showing up now?.
No, still not working. and I have reference id 7036 logs.
In Investigation you are querying from your Log concentrator or Broker?.
I just did the same changes in my 11.2 lab & it works fine. here are the changes & screen shot from my Investigation using Log concentrator.
Table-map-custom.xml in Log decoder:
<mapping envisionName="disposition" nwName="disposition" flags="None" format="Text" envisionDisplayName="Disposition"/>
Index-concentrator-custom-xml in Log concentrator:
<key description="Disposition" level="IndexValues" name="disposition" format="Text" valueMax="1000" defaultAction="Open"
in the log decoder, in table-map.xml don't you have already a key created for disposition? or did you put it in a comment line?
The line in 'Table-map.xml' file will be there and it does not affect our changes, because the flag is set as 'Transient'
<mapping envisionName="disposition" nwName="disposition" flags="Transient" format="Text" envisionDisplayName="Disposition"/>
For any Meta to be indexed, flag should be set to 'None' & this is the change we are doing in 'table-map-custom.xml' file.
I done as you and its still not working... im querying the concentrator. I also tried to query the broker and its the same. The meta key is there but nothing is parsed.
Ok, Can you go to Investigate->events & see if anything is parsed in 'Disposition' meta as below?.
No, its not there. But if i open the log and click " View meta" the disposition meta key is there and parsed.
Ok. so from that it is clear that there is not no need to update the parser & changes on decoder has taken effect.
I would suggest to do the below steps one more time to see if it resolves.
1. Restart nwlogdecoder service on the Decoder that sending logs to Concentrator.
2. Restart nwconcentrator service on the Concentrator that you are using for Investigation.
3. Wait for about 30 minutes & Inject new logs to Log decoder.
4. Go to Investigate & load the default Meta group to verify if the Disposition meta shows up.
Done that. Still not working...
Trying to catch up with what the issue is here.
a few things to confirm to get back on track ...
Retrieving data ...