2020-07-08 04:12 PM
I've included a new meta key under index-concentrator-custom.xml to be indexed (and be searchable). Is it possible to have this meta information available for historical / old log data and not just new data? There is a doc here Rebuilding the Index which talks about reindexing, but i'm not 100% sure if it applies to new meta / modified meta. I have tried restarting the concentrator which should trigger this, and I've only got the meta since I made the change and not on old data.
Any ideas?
2020-07-08 04:24 PM
Hello Stewart.
When meta is configured as "flags=Transient" it is held in memory and used by application rules or any other parsing that may occur on the Decoder, but once that parsing is complete, the meta is no longer needed and deleted. By configuring it to "flags=None", once meta processing is complete, the meta is then written to disk and can be retrieved with the corresponding call in the index-concentrator.xml or index-concentrator-custom.xml files that reside on the Concentrator.
Unfortunately, as there was no meta written to disk prior to you making this change, there is no way to go back and update your historical events to now have that meta indexed.
2020-07-08 04:24 PM
Hello Stewart.
When meta is configured as "flags=Transient" it is held in memory and used by application rules or any other parsing that may occur on the Decoder, but once that parsing is complete, the meta is no longer needed and deleted. By configuring it to "flags=None", once meta processing is complete, the meta is then written to disk and can be retrieved with the corresponding call in the index-concentrator.xml or index-concentrator-custom.xml files that reside on the Concentrator.
Unfortunately, as there was no meta written to disk prior to you making this change, there is no way to go back and update your historical events to now have that meta indexed.
2020-07-08 04:27 PM
Bummer! Thanks for confirming. So I guess the only thing I could resort it is slow text based searching?
2020-07-08 04:34 PM
Hello Stewart:
For the older data prior to making the change, yes. Once configured, though, RSA Netwitness is great at helping you dig through what's important versus what is just noise - Like most strong advanced SIEM systems, that usually requires understanding what you have coming in and then tuning it to how it is going to be most useful to you.