Article Number
000001599
Applies To
RSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Content, User Interface
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: EL6
Issue
Because custom feeds are case-sensitive, the feed will not tag the meta properly if the meta is in a different case than specified in the CSV file. Also, when a feed file with more than one set of double quotes is deployed, Adhoc feeds fail to deploy and recurring feeds deploy but do not make a match.
Workaround
To make the custom feed case-insensitive, the ignorecase Boolean value must be set to true within the MetaCallback tag in the XML file, for example:
<MetaCallback name="device" valuetype="Text" ignorecase="true">
Follow the steps that are documented in the article 000029517 entitled
Custom feed is not being applied to all meta data in RSA Security Analytics.
Also, when a feed file that contains double quotes is deployed and double quotes are incorrectly displayed on the RSA Security Analytics UI, you can view the feed file in a text editor to check which string is actually going to be matched against strings in the log file. For example, if you have string “abc” that you want to match from a log file, then when you view the feed file in a text editor, it should also have “abc”. However, the RSA Security Analytics User Interface will display these quotes as truncated for this given string in the custom feed.