How to monitor if a meta index key is full in the NetWitness Platform

Issue

Each meta key that is indexed in the RSA NetWitness Platform has a valueMax value associated with it. This is the maximum number of unique values that can be stored in the index for this meta key.

This is defined in the index-concentrator.xml and index-concentrator-custom.xml values on a Security Analytics concentrator.

For example:

  <key description="Hostname Aliases" level="IndexValues" name="alias.host" format="Text" valueMax="2500000" />

This shows that the alias.host meta key can contain up to 2500000 unique values in an index slice.

If this value is exceeded, then the additional unique values will not be able to be seen when investigating, although it will still be recorded in the session information.

It is therefore important to be alerted if the index for the meta key is full.

In some cases, the number of unique values for a key may exceed any setting of ValueMax that is used. For example, if you were to index URLs seen by the system then the index for this meta key would become quickly full due to the large number of unique possible values. For source ports and destination ports for a TCP session then there is a maximum of 65536 possible values so the valueMax is set to this value.

When a meta key is full the following will be seen in /var/log/messages on the concentrator:

  Sep 18 16:40:20 logconc nw[11922]: [Index] [warning] Index key alias.host has reached max capacity of 2500000 values and will ignore new values for this slice.

Tasks

We wish to be alerted if a metakey becomes full so that we can plan accordingly. To do this

1. Install the RSA Security Analytics Parsers from RSA Link here: Live Services Management Guide for 12.5.1
2. Add the following message to the RSA Security Analytics parser above the tag.

 <MESSAGE
 
 level="1"
 
 parse="1"
 
 parsedefvalue="1"
 
 tableid="1"
 
 id1="Index:45"
 
 id2="Index"
 
 eventcategory="1612010000"
 
 content="&lt;@event_description:Index Key Full&gt;[warning] Index key &lt;metakey&gt; has reached max capacity of &lt;fld2&gt; values and will ignore new values for this slice."/>

3. Add the following meta key to your concentrators in the /etc/netwitness/ng/index-concentrator-custom.xml

 <key description="Meta Keys" level="IndexValues" name="metakey" format="Text" valueMax="1000" />

4. Add the following to your Log Decoder at /etc/netwitness/ng/envision/etc/table-map-custom.xml

 <mapping envisionName="metakey" nwName="metakey" flags="None" format="Text"/>

5. When the Index Key becomes full the event description "Index Key Full" will become populated.

percentage used. Note: Horizontal is not compatible with appendHeaders.

Resolution

If an index key does become full then there are several options.

Create more index slices
Increase the valueMax value for the IndexKey
Switch off indexing for the key
Do nothing - it may not be practical to capture all unique values for the key or it may be that all possible unique values have been captured.

The best option will depend on your environment and what you wish to achieve, so please contact RSA Customer Support if further advice is required.

Attached to this article is a pair of scripts to help report on your current index slices. Please note the index-profile.pl script is meant for 10.X releases while the
index-profile.py is meant for 11.X releases. Please download and follow the instructions of the one that best fits your environment.

For Customers using version 10.X:
Please use the index-profile-10.X.zip file. This contains a perl script.
Usage: ./index-profile.pl concentrator_ip [out_file_name]

For example, to take an index profile snapshot every 30 min create a cron job for every concentrator as follows:

 # Concentrators 1
 
0,30 * * * * /root/index-profile-1.2.pl <Concentrator1_IP> index-snap-1.csv >> index-snap-1.csv
 
# Concentrator 2
 
0,30 * * * * /root/index-profile-1.2.pl <Concentrator2_IP> index-snap-2.csv >> index-snap-2.csv

This will generate a CSV file which then can be easily analyzed, so the optimal values of ValueMax, save.session.count or the index save scheduler can be worked out.

The sample output:

Column 1: Session
Column 2: sourcefile
Column 3: sinterface
Column 4: content
Column 5: policy.name
Column 6: device.name
Column 7: email
Column 8: tld
Column 9: city.src
Column 10: alias.host
Column 11: category
Column 12: udp.srcport
Column 13: event.computer
Column 14: country.src

Column 1: 9472259
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 4.45%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 4.65%
Column 10: 2.81%
Column 11: 5.87%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.13%

Column 1: 26421267
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 9.58%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 6.70%
Column 10: 5.43%
Column 11: 7.23%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.38%

Column 1: 18719236
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 8.11%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 6.30%
Column 10: 4.20%
Column 11: 6.66%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.40%

Column 1: 33624165
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 13.62%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 7.69%
Column 10: 6.38%
Column 11: 7.70%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.55%

Column 1: 48796236
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 0.00%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 0.00%
Column 10: 0.00%
Column 11: 0.00%
Column 12: 0.00%
Column 13: 0.00%
Column 14: 0.00%

Column 1: 62908505
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 32.48%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 9.54%
Column 10: 9.91%
Column 11: 8.94%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.71%

Column 1: 76682159
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 40.05%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 10.34%
Column 10: 11.36%
Column 11: 9.39%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.78%

Column 1: 88894056
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 44.02%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 11.11%
Column 10: 12.70%
Column 11: 9.73%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.81%

Column 1: 100426583
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 50.97%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 11.59%
Column 10: 13.84%
Column 11: 10.04%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.84%

Column 1: 115804180
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 57.16%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 12.19%
Column 10: 15.27%
Column 11: 10.38%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.86%

Column 1: 129613715
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 65.50%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 12.68%
Column 10: 16.49%
Column 11: 10.65%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.89%

Column 1: 141790056
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 68.83%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 13.14%
Column 10: 17.69%
Column 11: 10.95%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.93%

Column 1: 153489616
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 72.53%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 13.53%
Column 10: 18.86%
Column 11: 11.12%
Column 12: 0.00%
Column 13: 0.10%
Column 14: 2.94%

Column 1: 161713547
Column 2: 0.00%
Column 3: 0.00%
Column 4: 0.00%
Column 5: 74.81%
Column 6: 0.00%
Column 7: 0.00%
Column 8: 0.00%
Column 9: 13.77%
Column 10:
Product Details
RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Concentrator, Log Decoder
Platform: CentOS 6, CentOS 7

Approval Reviewer Queue

Technical approval queue

Attachments:
index-profile-10.X.zip

How to monitor if a meta index key is full in the NetWitness Platform

Issue

Tasks

Resolution

Product Details

Approval Reviewer Queue