.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
How to add custom meta keys in RSA NetWitness?What is the process of adding custom language keys in RSA NetWitness?
After adding custom meta keys in my concentrators, I can see the custom meta keys show up when Investigating directly using the concentrators, but why is the broker rendering errors in Investigations such as below:
Tasks
In RSA NetWitness, the default configuration of meta keys is stored in the index-The contents of these default files should not be manually changed as a new version of these files may be deployed during version upgrades.
Beginning from RSA NetWitness 10.0 a custom XML file, index-
The custom XML file will not be modified or overwritten during a version upgrades.
Customization changes of the default settings, or adding new custom meta keys should be added to the custom XML file.
Add the custom meta key lines or meta key modifications only to the index-concentrator-custom.xml file. No need to edit or add on the index-
The broker does not have their own index nor database, it only gets its unified index keys from the concentrators and/or brokers below it.
To ensure that the broker gets a unified index (language keys), edit (using the UI) and push the modified index-concentrator-custom.xml file to all the rest of the concentrators. Restart the concentrator services or initiate an index save on each (using concentrator>view>explore>index right-click-properties, select save in the drop-down and send) for the service to pick up the modified index language keys.
It is important for all concentrators to have a single uniform index-concentrator-custom.xml file so it will have a unified language definition that will in turn be picked up the broker.
There are times that you may also need to do an index reset on the broker to have it pick up immediately the new index language keys from its concentrators.
To initiate an index reset on the broker, go to Services>broker>view>explore>broker right-click-properties, select reset in the drop-down, enter index=1 in the Parameters and send.
Resolution
How to add custom meta keys in RSA NetWitness PlatformChanges to default meta keys' configuration and the addition of new custom meta keys is made to the custom XML file, index-
For example,
Decoder service has index-decoder-custom.xml
Log Decoder service has index-logdecoder-custom.xml
Concentrator service has index-concentrator-custom.xml
The index-
If these lines are not present in the XML file, the service will not start and errors will be generated in the /var/log/messages file.
This example shows an XML file with no custom meta keys and includes just the default xml file format with some comment lines.
This example shows an XML file with a single custom meta key for "Destination E-Mail Address", settings are set to "IndexValues" with a format of "Text" and a valueMax of 2500000.
To save and deploy the new setting on the NetWitness appliance, select the Apply button.
The XML file can also be deployed to other NetWitness appliances by clicking on the Push button and selecting the destination NetWitness appliance. Only deploy the XML file to a NetWitness appliance that runs that service.
Note: Any entries in the index-
So, if want to change any default meta key in the standard index-
If you have any questions about the information above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: NetWitness Core services
RSA Version/Condition: 10.6.x, 11.x
Summary
Where can custom meta keys be added in RSA NetWitness Platform?
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue