.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness Live Feeds are not showing meta values for required meta keys n the Investigate page
Issue
When Live Feed deployed to Log Decoder, Required meta keys in Feed details will not generate meta values.Example:
Below feed generates meta values for highlighted meta keys.
Tasks
This is due to multiple reasons.- Feeds may not be deployed to Log decoder
- Meta keys are not defined in table-map.xml and index-concentrator.xml files.
- FeedParser meta keys are not enabled.
Resolution
Please follow the below instructions to generate meta values.- Verify if feeds deployed to Log Decoder using below commands in Log decoder putty.
cd /etc/netwitness/ng/feeds/
[root@BLRCSLogDecoder feeds]# ls -l
total 260
-rw-------. 1 root root 407 Oct 27 17:36 esmfeed.feed
-rw-r--r--. 1 root root 133 Oct 27 17:36 esmfeed.feed-attr.xml
-rw-r--r--. 1 root root 3936 Mar 8 2019 feed-definitions.xsd
-rw-------. 1 root root 160 Oct 24 00:43 feed.tokens
-rw-------. 1 root root 171088 Sep 24 22:40 investigation.feed
-rw-r--r--. 1 root root 430 Sep 24 22:40 investigation.feed-attr.xml
-rw-------. 1 root root 336 Sep 24 22:40 nwconst_c2_ips.feed
-rw-r--r--. 1 root root 431 Sep 24 22:40 nwconst_c2_ips.feed-attr.xml
-rw-------. 1 root root 59312 Oct 24 00:43 nwspamhaus_drop_list_ip.feed
-rw-r--r--. 1 root root 440 Oct 24 00:43 nwspamhaus_drop_list_ip.feed-attr.xml - Verify Log Decoder table-map.xml and Concentrator index-concentrator.xml has definitions for required meta keys. If this has to be defined, Please use 'Meta not available on device' is displayed in RSA Security Analytics investigations
- Navigate to LogDecoder->Config->General->Parsers Configuration.
Expand + for FeedParser and make sure the required meta Enabled as below.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.2.0.0
Platform: CentOS
O/S Version: 7
Approval Reviewer Queue
KCS Approval queue