Article Number
000032359
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.5.x
Issue
If a session contains more than 1 value for a particular meta, only the first value gets read by ESA (given that the type of that particular meta is String)
Task
Changing the meta type from String to String Array so that all the values of that particular meta in a single session are read by ESA.
Resolution
Assuming you want to change the ‘ip_addr’ meta type, which is by default string to string array.
SSH to ESA Appliance
Navigate to /opt/rsa/esa/conf and edit the below files
1. eplModuleManager.json
Change the value of
‘ip_addr’ string to ‘ip_addr’ string[]
2. nextgenAggregationSource.json
Locate the below line
{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username"}}
Add the ‘ip_addr’ meta after username meta so that the line finally looks like the below:
{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username,ip_addr"}}
Finally restart the ESA service (service rsa-esa restart).
