Article Number
000002788
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: SA Event Stream Analysis
RSA Version/Condition: 10.5.x
Issue
If a session contains more than 1 value for a particular meta, only the first value gets read by ESA (given that the type of that particular meta is String)
Resolution
Assuming you want to change the ‘ip_addr’ meta type, which is by default string to string array.
SSH to ESA Appliance
Navigate to /opt/rsa/esa/conf and edit the below files
1. eplModuleManager.json
Change the value of
‘ip_addr’ string to ‘ip_addr’ string[]
2. nextgenAggregationSource.json
Locate the below line
{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username"}}
Add the ‘ip_addr’ meta after username meta so that the line finally looks like the below:
{"key": "ArrayFieldNames","value": {"type": "String","string": "action,alias_host,alias_ip,alias_ipv6,email,username,ip_addr"}}
Finally restart the ESA service (service rsa-esa restart).
