Skip to content
  • There are no suggestions because the search field is empty.

How to display an enVision key or a custom meta key in RSA Security Analytics Investigator 10.2 and below

Issue

While there are several enVision keys that are displayed in SA Investigation by default, many also are not. This article is designed to assist SA administrators with exposing non-default enVision keys to Investigator in SA.


Resolution

To display an enVision key or a custom meta key in an RSA Security Analytics investigation, follow these steps below.

1. From a log decoder
10.3.2 or later
Add an existing enVision key (copy from /etc/netwitness/ng/envision/etc/table-map.xml)or a new custom key to /etc/netwitness/ng/envision/etc/table-map-custom.xml with the flags set to "None"

10.3.1 or prior
Change flags from "Transient" to "None" for an enVision key in /etc/netwitness/ng/envision/etc/table-map.xml
or
Add a new custom key to /etc/netwitness/ng/envision/etc/table-map.xml with the flags set to "None"

e.g.



Note: Make sure that /etc/netwitness/ng/envision/table-map.xml is not present as this will override /etc/netwitness/ng/envision/etc/table-map.xml or /etc/netwitness/ng/envision/etc/table-map-custom.xml

2. Restart the log decoder service for the changes to take effect.

3. From the concentrator that aggregates data from the above log decoder, open /etc/netwitness/ng/index-concentrator.xml and check if the nwName keys from Step 1 (e.g. lastname or custom.key) already exist with the index level "IndexKeys" or "IndexValues". If true, the rest of the steps can be skipped.
If the keys do not exist or the index level is set to "IndexNone", move on to the Step 4.

4. From the same concentrator, open /etc/netwitness/ng/index-concentrator-custom.xml and add the nwName keys with the index level set to "IndexVaules" or "IndexKeys" (see the knowledgebase article entitled Difference between IndexValues and IndexKeys in RSA Security Analytics and RSA NetWitness NextGen for more information on IndexValues and IndexKeys).
e.g.



5. Restart the concentrator service for the changes to take effect.

Once the above steps are followed, Investigation will display the meta key and its value for the newly collected data.

NOTE: If the environment has a broker that aggregates from multiple concentrators, ensure that any changes made to index-concentrator-custom.xml are also applied to other concentrators.


Notes

This article is relevant to RSA Security Analytics 10.2 and below.  For RSA Security Analytics 10.3 and above, refer to the article entitled 'Meta not available on device' is displayed in RSA Security Analytics investigations.

Internal Comments

UserName:shurtj
4/18/2014 10:58:17 PM - Modified Title, Fact Statements, and Properties
Modified the title to be more descriptive, added Fact statements, and added enVision to Partition and RSA Products.

UserName:shurtj
8/5/2014 9:51:22 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Jeff Shurtliff -- 1/21/2015
Updated the article to fix a broken smart link in the Notes section and to adhere to Salesforce best practices.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.2 and below
Platform: CentOS
O/S Version: EL5, EL6

Summary

This article provides instructions on how to ensure that logs are being indexed correctly. This insures that SA investigations can be executed without issue, and is considered a best practice.


Approval Reviewer Queue

ASOC Approval Group