.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
How to add additional meta keys to Archiver if it is required.
Resolution
Editing defined meta keys in index-archiver-custom.xml through UI:
- Select Administration > Services > {select archiver service} > under Actions select View > Config
- Select Files tab and select index-archiver-custom.xml from drop down box
- Add required meta to index-archiver-custom.xml and press Apply
Alternatively, from SSH you can edit /etc/netwitness/ng/index-archiver-custom.xml directly.
10.6.X Product Documentation Reference - https://community.rsa.com/docs/DOC-83506
Restarting Archiver Service
Purpose: This is to make new custom meta keys available to service.
-
Stop aggregation from within the Web UI (to close open database files)
Select Administration > Services >
> under Actions select View > Config
On the General Tab use the 'Stop Aggregation' button
Select the decoder in Aggregated services and edit
The Product Documentation contains the following warning advising that the more meta keys are indexed by the Archiver, the lower the session retention time (as metadb is larger) and the more resources will be required for storage and use of these meta keys.
Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.
Source: 10.6.5 Product Documentation Reference - https://community.rsa.com/docs/DOC-83105
RSA Product/Service Type: Archiver, Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
- Find the new meta key in the Meta Include tab and select
- If you are unable to find the meta in the Meta Include tab, you may need to restart jettysrv on the NetWitness Server.
10.6.X Product Documentation Reference -
https://community.rsa.com/docs/DOC-83105
Notes
Archivers are not intended to index the same number of meta keys as Concentrator services. By default around 41 meta keys are indexed from Log Decoders.The Product Documentation contains the following warning advising that the more meta keys are indexed by the Archiver, the lower the session retention time (as metadb is larger) and the more resources will be required for storage and use of these meta keys.
Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.
Source: 10.6.5 Product Documentation Reference - https://community.rsa.com/docs/DOC-83105
Product Details
RSA Product Set: RSA NetWitness Logs & Network, Security AnalyticsRSA Product/Service Type: Archiver, Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue