Article Number
000001040
Applies To
RSA Product Set: RSA NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Archiver, Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
RSA Product/Service Type: Archiver, Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Issue
How to add additional meta keys to Archiver if it is required.
Resolution
Editing defined meta keys in index-archiver-custom.xml through UI:
- Select Administration > Services > {select archiver service} > under Actions select View > Config
Image description
- Select Files tab and select index-archiver-custom.xml from drop down box
Image description
- Add required meta to index-archiver-custom.xml and press Apply
Image descriptionAlternatively, from SSH you can edit /etc/netwitness/ng/index-archiver-custom.xml directly.
10.6.X Product Documentation Reference - https://community.rsa.com/docs/DOC-83506
Restarting Archiver Service
Purpose: This is to make new custom meta keys available to service.
-
Stop aggregation from within the Web UI (to close open database files)
Select Administration > Services > <select archiver service> > under Actions select View > System
Select the 'Stop Aggregation' button
Select the 'Stop Aggregation' button
- Restart the Archiver service
When Start Aggregation button is enabled, select 'Shutdown Service' button (which will restart the Archiver service)
Adding Additional Meta Keys to be aggregated from Log Decoder (metaInclude)
- Select Administration > Services > <select archiver service> > under Actions select View > Config
- On the General Tab use the 'Stop Aggregation' button
- Select the decoder in Aggregated services and edit
Image description
- Find the new meta key in the Meta Include tab and select
Image description
- If you are unable to find the meta in the Meta Include tab, you may need to restart jettysrv on the NetWitness Server.
10.6.X Product Documentation Reference - https://community.rsa.com/docs/DOC-83105
Notes
Archivers are not intended to index the same number of meta keys as Concentrator services. By default around 41 meta keys are indexed from Log Decoders.
The Product Documentation contains the following warning advising that the more meta keys are indexed by the Archiver, the lower the session retention time (as metadb is larger) and the more resources will be required for storage and use of these meta keys.
Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.
Source: 10.6.5 Product Documentation Reference - https://community.rsa.com/docs/DOC-83105
The Product Documentation contains the following warning advising that the more meta keys are indexed by the Archiver, the lower the session retention time (as metadb is larger) and the more resources will be required for storage and use of these meta keys.
Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.
Source: 10.6.5 Product Documentation Reference - https://community.rsa.com/docs/DOC-83105
In this article
