Implement Non-Standard Meta Keys Used in ESA Rules

Implement Non-Standard Meta Keys Used in ESA Rules Implement Non-Standard Meta Keys Used in ESA Rules

OverviewOverview

This topic tells you how to implement any non-standard data keys used in ESA alerts after you download them from Live.

Update XML FilesUpdate XML Files

You need to update the table-map-custom.xml file on the Log Decoder and the index-concentrator-custom.xml file on the Concentrator.

Note: Do not update table-map.xml nor index-concentrator.xml files, as your changes will be overwritten when you update. Always make your edits to table-map-custom.xml and index-concentrator-custom.xml.

To update the table-map-custom.xml file:

1. In the NetWitness menu, select ADMIN > Services.

2. Open the file as follows:

   1. In the Services grid, select a Log Decoder.
   2. From the Actions menu, select View > Config, then select the Files tab in the Services Config view.

   3. Select table-map-custom.xml from the drop-down list.

      The table-map-custom.xml file opens in edit mode.

3. In the section of the file, add an entry for the key, and set the value to None. For example, to add myNewKey, you would add the line shown in bold:

4. Click Apply to save your changes.
5. Restart the Log Decoder.

To update the index-concentrator-custom.xml file:

1. In the NetWitness menu, select ADMIN > Services.
2. In the Devices (or Services) grid, select the Concentrator.

3. In the toolbar, select View > Config, then select the Files tab.

   The Device Config view is displayed with the Concentrator Files tab open.

4. Select index-concentrator-custom.xml from the drop-down list.

   The index-concentrator-custom.xml file opens in edit mode.

   

5. Insert the non-standard meta key parameter strings and click Apply. For example:

6. Restart the Concentrator.