The services fail to start after editing the table-map.xml or index-concentrator-custom.xml files

3 years ago

Originally Published: 2014-11-23

Article Number

000062018

Applies To

RSA Product Set: RSA Security Analytics
RSA Product/Service Type: Log Decoder, Concentrator
RSA Version/Condition: 10.3.x
Platform: Platform (Other): CentOS

Issue

The services fail to start after editing table-map.xml or index-concentrator-custom.xml files during custom meta key management. During a service restart you may notice the following errors in /var/log/messages file:

Module logdecoder failed to load: Diagnostic information: Throw in function nw::XmlNode& nw::XmlDocument::pop()
Dynamic exception type: nw::XmlError
std::exception::what: ERROR: pop() - XmlDocument stack is empty.
[boost::errinfo_at_line_*] = 1499
[boost::errinfo_file_name_*] = /etc/netwitness/ng/envision/etc/table-map-custom.xml

Cause

The xml file is corrupted or incorrectly modified.

Resolution

You can identify the error and validate an xml file using "xmllint" program. xmllint is a command line XML tool that can perform XML validation.

Example:
Login to an ssh session on the Log Decoder and then execute the following command:
xmllint validate /etc/netwitness/ng/envision/etc/table-map.xml

Login to an ssh session on the Concentrator and then execute the following command:
xmllint validate /etc/netwitness/ng/index-concentrator-custom.xml

You may refer Meta not available on device' is displayed in RSA Security Analytics investigations for the correct procedure to add a custom log meta key in 10.3.x.

Note : Its advisable to backup a copy of the file prior to making any changes.

Don't see what you're looking for?

Related Articles

Trending Articles