Often times, Administrators and Content Managers alike need more information regarding their current parser status (both Logs and Network [formerly Packets]). There is an older, fancier interface for Log parser meta keys located here:
https://community.rsa.com/community/products/netwitness/blog/2017/11/13/rsa-meta-dictionary-tool
The script in this blog post is a bit more real-time and allows you to gain some additional visibility into your meta keys.
Pre-Requisites
Please ensure you have run the ssh-propagate.sh on your SA Server (10.x) or NW Server / Node0 (v11). The script requires access to downstream services using SCP for the log parsing functionality.
Synopsis
Log Parser -> Meta Key Mapping:
When run in Log mode with a specific parser as a parameter, this will output all of the meta keys used in that parser. It will also output the format and whether that key is "Passed to the Concentrator", that is, if the key has flag set to is Transient (not passed to Concentrator in the session) or None (passed to the Concentrator).
Network Parser -> Meta Key Mapping:
When run in Network mode with IP of the Network Decoder, will output all of the Enabled parsers with its respective keys.
White = Enabled
Yellow = Transient
Red = Disabled
Runtime
To run in Log mode:
Example: ./get-parser-keys.py -l <PARSER NAME> -i <LOG DECODER IP>
Example: ./get-parser-keys.py -l rhlinux -i 192.168.1.113
To run in Network mode:
Example: ./get-parser-keys.py -n -i <NETWORK DECODER IP>
Example: ./get-parser-keys.py -n -i 192.168.1.112
Sample Output
Log Parser -> Meta Key Mapping
Network Parser -> Meta Key Mapping
3 Comments
