.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Error while trying to change the meta key format in index-concentrator-custom.xml or index-broker-custom.xml files in RSA Security Analytics
Issue
When trying to override a meta key format by editing in the index-concentrator-custom.xml or index-broker-custom.xml files, nwconcentrator and nwbroker fails to start. and logs the below error message,Example:
Want to change the meta key orig_ip format from Text to IPv4,
The original line in the index-concentrator.xml and/or index-broker.xml looks:
"<key description="Originating IP Address" level="IndexValues" name="orig_ip" format="Text"/>"
Added the below line in index-concentrator-custom.xml or index-broker-custom.xml,
"<key description="Originating IP Address" level="IndexValues" name="orig_ip" format="IPv4"/>"
Restart nwbroker and/or nwconcentrator services on the appliances.
# restart nwbroker or # restart nwconcentrator
The below error message appears:
Sep 23 16:18:11 p-rich-sa02c NwConcentrator[3171]: [Engine] [failure] Module concentrator failed to load: Diagnostic information: Throw in function nw::LanguageTokenPtr nw::Language::addToken(const nw::LanguageKey&, NwVariantFormat, const string&, nw::LanguageToken::TokenLevel, nw::uint32, nw::uint32, nw::uint32, nw::uint32)Dynamic exception type: boost::exception_detail::clone_implstd::exception::what: Cannot override format for orig_ip from Text to IPv4. Format changes are not allowed.[boost::errinfo_at_line_*] = 98
Sep 23 16:18:11 p-rich-sa02c NwConcentrator[3171]: [Engine] [failure] Module concentrator failed to load: Cannot override format for orig_ip from Text to IPv4. Format changes are not allowed.
Sep 23 16:18:11 p-rich-sa02c NwConcentrator[3171]: [Engine] [failure] Module concentrator failed to load: Cannot override format for orig_ip from Text to IPv4. Format changes are not allowed.
Cause
Format attribute cannot be overridden in custom file.
Resolution
To overcome this issue, When updating the Format attribute it will have to be done in the index-concentrator.xml and/or index-broker.xml instead of index-concentrator-custom.xml or index-broker-custom.xml.Then restart the nwbroker and/or nwconcentartor services normally.
# restart nwbroker or # restart nwconcentrator
Note that these changes will be overwritten during the rebuilding, reinstall and upgrades, so it's very recommended to keep track of the changes done to these files.
Notes
Note that these changes will be overwritten during the rebuilding, reinstall and upgrades, so it's very recommended to keep track of the changes done to these files.
Product Details
RSA Product Set: Security Analytics, NetWitness Logs and PacketsRSA Product/Service Type: Core Appliances
Platform: CentOS
Summary
nwconcentrator and/or nwdecoder services fail to start after trying to update a meta key format in the index-custom.xml files
Approval Reviewer Queue
ASOC Approval Group