NetWitness Community

Anonymous · ‎2016-06-05

Dear All,

I have created a UDS for a customer. Its working fine for 3 days and after 3 days, we are not be able to find the Event.desc in the RSA investigation.

But when we have drill down the particular event. We are able to find the Event.desc.

Pls let me know if you can help me on above issue.

Thanks

DavidWaugh1 · ‎2016-06-06

Have a look at this KB article I wrote about this:

https://rsaportal.force.com/customer/articles/How_To/Unable-to-investigate-on-a-meta-value-even-when-the-value-exists-when-looking-at-session-in-RSA-Security-Analytics

and also

https://rsaportal.force.com/customer/articles/How_To/How-To-Monitor-if-an-Meta-Index-Key-is-Full

View solution in original post

DavidWaugh1 · ‎2016-06-05

Your event description meta key is full.

It can't hold any more unique values

Sent from my iPhone

DavidWaugh1 · ‎2016-06-06

Have a look at this KB article I wrote about this:

https://rsaportal.force.com/customer/articles/How_To/Unable-to-investigate-on-a-meta-value-even-when-the-value-exists-when-looking-at-session-in-RSA-Security-Analytics

and also

https://rsaportal.force.com/customer/articles/How_To/How-To-Monitor-if-an-Meta-Index-Key-is-Full

ShawnOstapuk · ‎2016-07-29

David Waugh is correct. If the environment is small enough you could probably increase the max values for event.description and you will be good to go.

If you have a large environment I would avoid using event.description in any parser. It is a generic place holder in a large number of parsers (particularly linux and esxi) and tends to fill up quickly (we hit 20,000,000 unique entries in about 1-2 hours). I count event_description showing up in 129,648 messages on the parsers stored on the filesystem.

Example generic parser:

	id2="postfix/cleanup"
	eventcategory="1605010000"
	content="<@hostname:HDR(hhost)><@:SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)><event_description>" />

NetWitness Community

Custom Parser is working as Expected