2 weeks ago
Hello,
Recently, I've enabled the meta key 'action' on the archiver so that I can use it to filter the results in the Investigate window, I've done that by modifying the file 'index-archiver-custom.xml', adding a new key for it.
I've applied the new changes and restarted the aggregation service which went well.
Now, whenever I try to investigate using the Archiver, I got empty results as the following screenshot:
Thanks in Advance.
Tuesday
@yazantaleb01 Please do not Investigate against the Archiver. This is not supported. You should only be using the Reporting Engine to do reports against the archivers. The system allows you to Investigate against it but your performance may vary dramatically and the interface may time out. This is why the Archivers are only for reporting purposes.
The following article shows how to fully add new meta to the archiver. The article is dated to 10.6.x but the steps are the same in the newer versions of NetWitness. https://community.netwitness.com/t5/netwitness-knowledge-base/how-to-add-additional-meta-keys-to-the-rsa-netwitness-archiver/ta-p/677579
Not only do you have to update the index-archiver-custom.xml, which is used to create indexing, but you also have to tell the archiver to start retrieving the meta from the log decoder.
1. Go into the Archiver's Config -> General page.
2. Toggle the Archiver's service that is connected to the log decoder you want to retrieve the new meta from so that is shows as offline in the Status column.
3. Click on the Edit Aggregate Service button, it is the square box with the red pencil in it.
4. In the box that pops up go to the Meta Include tab and select the meta you want to retrieve.
Do not select all meta, only select the meta that you want to index, otherwise you can drastically reduce the retention time of your archiver.
5. Once all the meta that you want to collect is selected, click Save.
6. Toggle the service back on so it is consuming from the log decoder again.
If you have more than one log decoder on an archiver that has the meta that you want, you'll need to do the same steps to all the connected log decoders not just the first one connected. You can see if the meta you want to collect is now saved by clicking on the little black circle with the i in it under the Meta Include column for the connected log decoder. The popup shows all the meta that the archiver is pulling from that log decoder.
I hope this helps. Please review the linked article for more information.
Tuesday
Thanks for the valuable information.
My point is that I want to investigate and apply some filters on old events that are only available using the Archiver, for example, 3 months back which is not available on the Concentrator. Is there any other way to achieve this?
Regards.
Wednesday
@yazantaleb01 Yes you should create the query as a rule in the Reporting Engine. Then run that rule as part of a report against the archiver. It will return the results you are looking for. Just remember that whatever meta that is associated with the logs you are searching for you need to put in the Select field of the reporting engine rule.
If you can provide some more detail as to exactly what you are attempting to find I might be able to provide an example of what I mean. Just remember any query you can do in Investigation you can do with a reporting engine rule.