This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enable Parsed Meta Keys in RSA NetWitness Platform That Do Not Currently Show In Investigation

Article Number

000001658

Applies To

RSA Product Set: NetWitness Platform 10.2.x
NetWitness Platform 10.3.x and later
Log Decoder
Concentrator
Broker
Meta
Transient

Issue

When reviewing log messages, I see that there is a lot of information in the messages that I would expect to show up parsed as Meta values in the Investigation module, but does not. Is there a way to modify NetWitness to parse this information?

Resolution

To reduce overhead and improve performance, NetWitness sets some common meta values to a state where they are processed (to support alerts, for example), but not written to disk. As a result, when the Concentrator attempts to pull those values because nothing was written to disk on the Log Decoder, there is no information to retrieve.

To display meta keys that are parsed but do not currently show in Investigation view, you need to edit the correct files on each node in your NetWitness infrastructure.
    Note: There are two slightly different procedures for the Log Decoder only based on the NetWitness version. Follow only one of these for the correct Log Decoder version.
 

Log Decoder (10.2.x):

  1. SSH into the Log Decoder as root.
  2. Move to the correct directory:
     cd /etc/netwitness/ng/envision/etc
  3. 3. Open the table-map.xml file for editing:
         vi table-map.xml
  4. Look for the variable that you want to change.
  5. Look at the flags parameter:
         - If the value is set to "Transient", the parsed data is stored in memory and never written to disk.
         - If the value is set to "None", we write the parsed data to disk.
         Make sure the flags parameter is set to "None".
         Save the file and exit vi.
  6. Stop the Log Decoder service:
     stop nwlogdecoder
  7. Start the Log Decoder service:
     start nwlogdecoder
The meta values should now be parsed and written to disk on the Log Decoder.
 

Log Decoder (10.3.x and Later):

  1. SSH into the Log Decoder as root.
  2. Move to the correct directory:
    cd /etc/netwitness/ng/envision/etc
  3. Create a new file called table-map-custom.xml file for editing.
  4. Open the table-map.xml file for editing:
      vi table-map.xml
  5. Look for the variable that you want to change.
  6. Copy the entire line that contains your variable. You are going to add this same line to the new table-map-custom.xml file you created in step 3.
  7. Open table-map-custom.xml and paste in the line you just copied.
  8. Look at the flags parameter:
         - If the value is set to "Transient", the parsed data is stored in memory and never written to disk.
         - If the value is set to "None", we write the parsed data to disk.
         Make sure the flags parameter is set to "None".
         Save the file and exit vi.
  9. Stop the Log Decoder service:
     stop nwlogdecoder (10.x) or systemctl stop nwlogdecoder (11.x)
  10. Start the Log Decoder service:
     start nwlogdecoder (10.x) or systemctl start nwlogdecoder (11.x)
The meta values should now be parsed and written to disk on the Log Decoder.
 

Concentrator:

  1. SSH into the Concentrator as root.
  2. Move to the correct directory:
      cd /etc/netwitness/ng
  3. Open the index-concentrator-custom.xml file for editing:
         vi index-concentrator-custom.xml
  4. Add the new meta key entry that you want to show up in Investigation view.
         Note: There are no exact steps here. Your best approach is to copy an existing entry that closely matches yours from index-concentrator.xml.
  5. Stop the Concentrator service:
         stop nwconcentrator (10.x) or systemctl stop nwconcentrator (11.x)
  6. Start the Concentrator service:
         start nwconcentrator (10.x) or systemctl start nwconcentrator (11.x)
The meta values should now be pulled from the Log Decoder and displayed in Investigation view under the Meta Key entry you added to index-concentrator-custom.xml.
 

Broker (if applicable):

  1. SSH into the Broker as root.
  2. Move to the correct directory:
         cd /etc/netwitness/ng
  3. Open the index-broker-custom.xml file for editing:
         vi index-broker-custom.xml
  4. Copy the same line you added to index-concentrator-custom.xml on the concentrator to this file.
  5. Stop the Broker service:
         stop nwbroker (10.x) or systemctl stop nwbroker (11.x)
  6. Start the Broker service:
         start nwbroker (10.x) or systemctl start nwbroker (11.x)
The meta values should now be pulled from the Concentrator and displayed in Investigation view under the Meta Key entry you added to index-broker-custom.xml.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:16 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.