The table mapping file provided by RSA, table-map.xml, is a very significant part of the Log Decoder. It is a meta definition file which also maps the keys used in a log parser to the keys in the metadb.
Do not edit the table-map.xml file. If you want to make changes to the table-map, make them in the table-map-custom.xml file. The latest table-map.xml file is available on Live and RSA updates it as required. If you make changes to the table-map.xml file, they can be overwritten during an upgrade of service or content.
In the table-map.xml, some meta keys are set to Transient and some are set to None. To store and index a specific meta key, the key must be set to None. To make changes to the mapping, you need to create a copy of the file named table-map-custom.xml on the Log Decoder and set the meta keys to None.
For meta key indexing:
When a key is marked as None in the table-map.xml file in the Log Decoder, it is indexed.
When a key is marked as Transient in the table-map.xml file in the Log Decoder, it is not indexed. To index the key, copy the entry to the table-map-custom.xml file and change the keyword flags="Transient" to flags="None".
If a key does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file in the Log Decoder.
Caution: Do not update the table-map.xml file since an upgrade can overwrite it. Add all of the changes that you want to make to the table-map-custom.xml file.
If you do not have a table-map-custom.xml file on the Log Decoder, create a copy of table-map.xml and rename it to table-map-custom.xml.
To verify and update the table mapping file:
In the Security Analytics menu, select Administration >Services.
In the Services grid, select a Log Decoder and > View> Config.
Click the Files tab and select the table-map.xml file.
Verify that the flags keywords are set correctly to either Transient or None.
If you need to change an entry, do not change the table-map.xml file since an upgrade can overwrite it. Instead, copy the entry, select the table-map-custom.xml file and change the flags keyword from Transient to None.
For example, the following entry for the hardware.id meta key in the table-map.xml file is not indexed and the flags keyword shows as Transient:
If an entry does not exist in the table-map.xml file, add an entry to the table-map-custom.xml file.
After making your changes to the table-map-custom.xml file, click Apply.
Caution: Before changing the table mapping files, carefully consider the effect of changing the index from Transient to None since it can impact the available storage and performance of the Log Decoder. For this reason, only certain meta keys are indexed out of the box. Use the table-map-custom.xml file for different use cases.