Article Number
000032150
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Archiver
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
RSA Product/Service Type: Security Analytics UI, Archiver
RSA Version/Condition: 10.5.x
Platform: CentOS
O/S Version: EL6
Issue
When adding additional Metakeys on the Archiver appliance from the MetaInclude column under Config view - 'General' tab the below error shows up:
Image description
This is because the default MetaInclude max capacity is 1024 characters on the Archiver..
Image descriptionThis is because the default MetaInclude max capacity is 1024 characters on the Archiver..
Resolution
To increase the length of the field please do the following.
1) SSH to the Achriver
2) stop nwarchiver
3) cp /etc/netwitness/ng/NwArchiver.cfg /etc/netwitness/ng/NwArchiver.cfg.backup
4) Edit the file to find the following line:
Note here that the maxLength value is 1024.
Change the max Length Field to 2048 (or another multiple of 2 as appropriate)
The line would then appear as follows:
5) Add additional keys onto the end of this line as appropriate or add the additional keys from the
SA UI - Administration - Archiver appliance - locate the MetaInclude column under Config view -
'General' tab and select the additional metakeys to include in the Archiver.
6) start the nwarchiver service.
1) SSH to the Achriver
2) stop nwarchiver
3) cp /etc/netwitness/ng/NwArchiver.cfg /etc/netwitness/ng/NwArchiver.cfg.backup
4) Edit the file to find the following line:
<config getRoles="archiver.manage" instance="device.config" maxLength="1024" name="options" prettyName="Options" setRoles="archiver.manage" value="metaInclude=action,alert.id,alias.host,device.class,device.ip,device.type,ec.activity,ec.outcome,ec.subject,ec.theme,email,email.src,event.cat.name,event.desc,event.source,event.time,event.type,event.user,filename,group,ip.addr,ip.dst,ip.src,lc.cid,logon.type,msg.id,obj.name,obj.type,policy.name,process,result.code,user.dst,user.src,username,virusname,medium,time,sessionid,size,payload"/>
Note here that the maxLength value is 1024.
Change the max Length Field to 2048 (or another multiple of 2 as appropriate)
The line would then appear as follows:
<config getRoles="archiver.manage" instance="device.config" maxLength="2048" name="options" prettyName="Options" setRoles="archiver.manage" value="metaInclude=action,alert.id,alias.host,device.class,device.ip,device.type,ec.activity,ec.outcome,ec.subject,ec.theme,email,email.src,event.cat.name,event.desc,event.source,event.time,event.type,event.user,filename,group,ip.addr,ip.dst,ip.src,lc.cid,logon.type,msg.id,obj.name,obj.type,policy.name,process,result.code,user.dst,user.src,username,virusname,medium,time,sessionid,size,payload"/>
5) Add additional keys onto the end of this line as appropriate or add the additional keys from the
SA UI - Administration - Archiver appliance - locate the MetaInclude column under Config view -
'General' tab and select the additional metakeys to include in the Archiver.
6) start the nwarchiver service.
In this article
