In the RSA Security Analytics UI you cannot create a custom feed that has two or more MetaCallback keys (multiple indexes).
Steps for creating custom feed with multi MetaCallback keys Within the UI you can't create a custom feed with multiple MetaCallback keys (multiple indexes) while using the Custom Feed Wizard. To create this type of feed you will have to make a custom XML feed file. Here is an example of a XML file and the comments are denoted by <!-- -->.(In our interface the comments are not supported so if you use this as a template you will have to delete the comments for this file to work or you will get compile errors)
1. Create custom xml file
<?xml version="1.0" encoding="utf-8"?><!--All comments must be deleted for will not compile in appliance-->
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="CustomFeed" <!-- The name you want to give the file -->
path="CustomFeed.csv" <!-- This is the name of the csv file that you create -->
<MetaCallback name="AliasHost"> <!--Callback key 1 -->
<Meta name="alias.host" valuetype="Text" ignorecase="true"/>
<MetaCallback name="Domain"> <!--Callback key 2 -->
<Meta name="domain" valuetype="Text" ignorecase="true"/>
<LanguageKey name="alert" valuetype="Text"/>
<Fields> <!--This is what references the code in the CSV file-->
<Field index="1" type="index" key="AliasHost"/> <!--First column in the CSV file-->
<Field index="2" type="index" key="Domain"/> <!--Second column in the CSV file-->
<Field index="3" type="value" key="alert" /> <!--Third column in the CSV file-->
2. Create custom CSV file After creating your custom XML file you will need to create a custom CSV file. As stated in the above XML file the default values for comments are “#” and separator are “,”. Below is an example of a CSV file that works with the above XML file.
Make sure there are no extra white space and blank lines within the CSV file or it will not compile correctly. Now that we have the correct code generated lets go over exactly what is happening. We have two MetaCallback keys that we created (more can be added) and these keys are putting the meta values in “alert” with the values of “whitelist” or “blacklist”.
3. Copy the XML and CSV files to the appliance Since the UI Custom Feed cannot be used for generating the custom feed it must be manually compiled and copied to your Decoders (Log/Packet). Take the XML file and CSV file and move the files over to a decoder with this command "scp email@example.com:/root/CustomFeed.csv” The x’s represent the ip address of the location you are copying the files from. The screen shot below shows this process.
If you try to edit the XML file and upload it through the GUI you will get and error and it will not work. (See screenshot below)