Skip to content
  • There are no suggestions because the search field is empty.

Meta key names are being truncated with error message 'key exceeds maximum size of 16' in Netwitness Platform

Issue

Meta key names are being truncated with error message "key exceeds maximum size of 16" in NetWitness
The /var/log/messages file reports an error similar to the following: 
(W) 2010-Jul-17 18:57:48 [Index] The language key 'watchlist_file_fi' exceeds the maximum size of 16. The name was truncated to 'watchlist_file_f'

Cause

Items longer than 16 characters in the name field for meta key items may be be truncated in NetWitness Core Devices.  Items longer than 16 characters in the name field for meta key items may alternatively cause the service to fail to load.

In NetWitness NextGen version 9.8 and above, the information is stored in the /etc/netwitness/ng directory. The key item definitions can be found in the following files:

  • index-decoder.xml
  • index-decoder-custom.xml
  • index-concentrator.xml
  • index-concentrator-custom.xml
  • index-broker.xml
  • index-broker-custom.xml

The following is an example of a key definition: 


Resolution

In order to resolve the issue, the name value in the key definition must be changed to be less than 16 characters in length.

The following commands may be used to examine the XML files in order to list the keys and their respective name lengths: 

# grep -Po 'name=".*?(?=")' /etc/netwitness/ng/index-<service>-custom.xml | awk '{ print substr($0,7) " = " length(substr($0,7)) }'

# grep -Po 'name=".*?(?=")' /etc/netwitness/ng/index-<service>.xml | awk '{ print substr($0,7) " = " length(substr($0,7)) }'


If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.


Notes

The output of the commands above will look similar to the example below.

[root@NWAPPLIANCE1234 ng]# grep -Po 'name=".*?(?=")' /etc/netwitness/ng/index-concentrator.xml | awk '{ print substr($0,7) " = " length(substr($0,7)) }'
time = 4
service = 7
tcp.srcport = 11
tcp.dstport = 11
udp.srcport = 11
udp.dstport = 11

Internal Comments

UserName:wirthr1
6/19/2012 12:36:50 PM - Solution Number 00000209
Solution Number 00000209

UserName:shurtj
8/5/2014 4:14:42 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Product Details

RSA Product Set: Netwitness Platform
RSA Product/Service Type: Decoders (Packet/Log), Concentrators, Brokers
RSA Versions/Conditions: All Versions
Platform: CentOS, AlmaLinux

Approval Reviewer Queue

Technical approval queue