When adding additional Metakeys on the Archiver appliance from the MetaInclude column under Config view - 'General' tab the below error shows up:
Image descriptionThis is because the default
MetaInclude max capacity is 1024 characters on the Archiver..
To increase the length of the field please do the following.
1) SSH to the Achriver
2) stop nwarchiver
3) cp /etc/netwitness/ng/NwArchiver.cfg /etc/netwitness/ng/NwArchiver.cfg.backup
4) Edit the file to find the following line:
<config getRoles="archiver.manage" instance="device.config" maxLength="1024" name="options" prettyName="Options" setRoles="archiver.manage" value="metaInclude=action,alert.id,alias.host,device.class,device.ip,device.type,ec.activity,ec.outcome,ec.subject,ec.theme,email,email.src,event.cat.name,event.desc,event.source,event.time,event.type,event.user,filename,group,ip.addr,ip.dst,ip.src,lc.cid,logon.type,msg.id,obj.name,obj.type,policy.name,process,result.code,user.dst,user.src,username,virusname,medium,time,sessionid,size,payload"/>
Note here that the maxLength value is 1024.
Change the max Length Field to 2048 (or another multiple of 2 as appropriate)
The line would then appear as follows:
<config getRoles="archiver.manage" instance="device.config" maxLength="2048" name="options" prettyName="Options" setRoles="archiver.manage" value="metaInclude=action,alert.id,alias.host,device.class,device.ip,device.type,ec.activity,ec.outcome,ec.subject,ec.theme,email,email.src,event.cat.name,event.desc,event.source,event.time,event.type,event.user,filename,group,ip.addr,ip.dst,ip.src,lc.cid,logon.type,msg.id,obj.name,obj.type,policy.name,process,result.code,user.dst,user.src,username,virusname,medium,time,sessionid,size,payload"/>
5) Add additional keys onto the end of this line as appropriate or add the additional keys from the
SA UI - Administration - Archiver appliance - locate the MetaInclude column under Config view -
'General' tab and select the additional metakeys to include in the Archiver.
6) start the nwarchiver service.