Skip to content
  • There are no suggestions because the search field is empty.

'Meta not available on device' is displayed in RSA NetWitness Platform investigations

Issue

"Meta not available on device" is displayed in RSA NetWitness investigations.

When adding a custom log meta key to an RSA NetWitness device using the table-map.xml file, the error "Meta not available on device" is displayed in Investigation.

After editing the table-map.xml file and changing the value from "transient" to "none" and adding the key to the index-logdecoder.xml file,  "Meta not available on device" is displayed for the custom value in Investigation.

Cause

At times, the standard table-map.xml and index- .xml files have required updating, and those changes are introduced in the upgrade or patching process. When these new templates are introduced, new xml files are deployed, which overwrite existing xml files, thus taking the customized changes with them.

This usability issue prompted the introduction of a different method to add custom keys to the configuration.  As of RSA Security Analytics 10.3, custom changes must be introduced in new custom xml files to be recognized.

To toggle data types from memory resident to disk, the value for "flags" must be toggled from "transient" to "none" in a new file called table-map-custom.xml.  All index- .xml changes must also be recorded in their own file, index- -custom.xml. The table- map.xml and index- . xml files should no longer be edited. Use only the custom xml model to make changes.

The adoption of this model introduces two distinct advantages: a) the customizations will no longer be overwritten during software upgrades, and 2) easing administration to manage customizations to xml files, as delta change management for customizations is no longer necessary.


Resolution

Before beginning: All commands are executed as root from the command line of each device as noted to the specific device.  All installations must execute steps for the A) Log Decoder and B) Concentrator, and sites with an optional broker must also execute C) Broker steps.  Process restarts of the log decoder, concentrator and broker are required to recognize these changes.  When in production, schedule accordingly. 

The below steps exemplify the process using "Severity" as the custom key example.
 

I. Log decoder(s):

Execute these steps on all log decoders:

  1. On the log decoder, data that is marked as "Transient" is memory resident and not written to disk, data that is set to "None" is parsed and written to disk.  In order to write meta, you must set the value to "None".
  2. Issue the following command to enter the appropriate directory:  
    # cd /etc/netwitness/ng/envision/etc
  3. Locate the key you wish to use in the current table.map.xml file.  (vi hint: use the search feature in vi, /  then enter the word "severity" and hit return)

    After locating the matching key, which by default is set to "Transient" as shown in the example below, the flag must be set to "None".

    <mapping envisionName="severity" nwName="severity" flags="Transient" envisionDisplayName="Severity|SeverityLevel"/>

    Save this key to a paste buffer but do not modify the key in this file.

  4. In the same directory, create table-map-custom.xml by issuing the following command:  
    # vi table-map-custom.xml

    NOTE: This file is not on the system by default.

    Add the key, changing the flags from "Transient" to "None".

    The file with a single key will look similar to the following:

    <?xml version="1.0" encoding="utf-8"?>
    <mappings>
    <mapping envisionName="severity" nwName="severity" flags="None" envisionDisplayName="Severity|SeverityLevel"/>
    </mappings>

    Save the file.  (vi hint: :wq!)

  5. Restart the Log Decoder service with the commands below, or via the RSA NetWitness UI (preferred):
  • SA 10.x: 
    # stop nwlogdecoder
    # start nwlogdecoder
  • NW 11.x: 
    # systemctl stop nwlogdecoder
    # systemctl start nwlogdecoder

This change will now write the key disk.  In order to see the value in Investigation, you must now do the following:


II. Concentrator

  1. Navigate to the appropriate directory with the following command: 
    # cd /etc/netwitness/ng
  2. Create or edit the file index-concentrator-custom.xml with the following command: 
    # vi index-concentrator-custom.xml
  3. Add the information below to include the key information for the custom meta, which is "Severity" in this example:
    <?xml version="1.0" encoding="utf-8"?>
    <language level="IndexNone" defaultAction="Auto">
    <key description="Severity" level="IndexValues" name="severity" format="Text" valueMax="10000" />
    </language>

    NOTE:  Only the highlighted line should be added if the index-concentrator-custom.xml file has already been created and configured.

  4. Restart the Concentrator service with the commands below, or via the RSA NetWitness UI (preferred):
  • SA 10.x: 
    # stop nwconcentrator
    # start nwconcentrator
  • NW 11.x: 
    # systemctl stop nwconcentrator
    # systemctl start nwconcentrator


III OPTIONAL: Brokers -  these steps are required only for installations that employ a broker to aggregate data from multiple concentrators

  1. Navigate to the appropriate directory with the following command: 
    # cd /etc/netwitness/ng
  2. Create or edit the file index-broker-custom.xml with the following command:  
    # vi index-broker-custom.xml
  3. Add the information below to include the key information for the custom meta, which is "Severity" in this example:
    <?xml version="1.0" encoding="utf-8"?>
    <language level="IndexNone" defaultAction="Auto">
    <key description="Severity" level="IndexValues" name="severity" format="Text" valueMax="10000" />
    </language>

    NOTE:  Only the highlighted line should be added if the index-broker-custom.xml file has already been created and configured.

  4. Restart the Broker service with the commands below, or via the RSA NetWitness UI (preferred):
  • SA 10.x: 
    # stop nwbroker
    # start nwbroker
  • NW 11.x:  
    # systemctl stop nwbroker
    # systemctl start nwbroker

If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.


Notes

The information herein superscedes articles previously written for SA v10.2 and below as published in KB articles How to enable non-displayed meta key values in RSA Security Analytics 10.2 and How to display an enVision key or a custom meta key in an RSA Security Analytics Investigation..

Internal Comments

UserName:waughd
6/18/2014 5:34:54 PM - Made the following ammendments
In step A4 of the article should the filename be table-map-custom.xml Also as the file doesn’t exist it should look like

UserName:melim
6/23/2014 4:53:41 PM - tech reviewed
i have used the isntructions before. David Waugh also reviewd this so will copy edit

UserName:shurtj
6/27/2014 7:53:25 PM - Updated Article
Changed Goal statements to Fact staements and changed the Change statement to be a Cause statement. Split up the text in the Cause statement into paragraphs so that it is readable in SCOL. Fixed the broken links in the Note statement.

Jeff Shurtliff -- 1/21/2015
Updated the article to include version 10.4 and to adhere to Salesforce best practices.  Reworded the steps in the Resolution section to remove spelling and grammatical errors and to provide clarity.

Product Details

RSA Product Set: Security Analytics, NetWitness Platform
RSA Product/Service Type: Log Decoder, Concentrator, Broker
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue