NetWitness Community

ChaitraKulkarn1 · ‎2017-11-13

The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers. The RSA NetWitness Log Decoder supports over 300+ unique log event sources. Each log event source has a respective log parser for parsing the content of each log. The Meta Dictionary tool describes the metadata used in each of the parsersd.

This blog post is intended to help a user understand how to use the tool so they can see the various metadata used in a parser, description of each of the metadata keys and the number of times each metadata keys appear in a parser.

Deployments

You need to download the following attachments from the blog post:

data.meta file
metadictionary.html file

Supported Browsers

Google Chrome version 44 or later
Firefox version 36 or later
Internet Explorer 10 or later
Safari version 7 or later

Viewing Meta Data Definitions

Once you open metadictionary.html file in a browser you will see something similar to the screenshot below.

The screen contains the following sections:

Left Navigation pane: contains a list of all the parsers.
Details pane: contains the meta details for the selected parser.

This tool offers the flexibility to search for meta keys, data type, etc. as shown in the image below.

In the above screen, we have searched for ipv4, and three occurrences were found; note that the search is case insensitive.

Screen Reference

Screen	Item	Description
Screen	Item	Description
Parser Name/Version		Left Navigation Pane, and Details Panedisplays Parser Name and Version
Search		A free text search box that you can use to filter results

Show/Hide Columns		Drop down menu from each Column Header allows you to display or hide column

Column Reference

The following table describes each of the available columns that contain the meta data for the parsers.

Column Name	Description
Investigation Display Name	The value displayed in Investigation Page of RSA NetWitness UI for each Meta
Parser Metakey(occurrences)	Meta key as used in the Parser and its count in parenthesis. For example, for the
	aix parser, the saddr meta key occurs 151 times in the parser definition
SA Metakey	Corresponding Meta Name for the meta key in parser definition. Meta Name is used
	in RSA NetWitness Suite
Metakey Description	The description for the key.
TableMapDatatype	The data type of a meta key, as listed in the default table map.xml.
TableMap Indexed	Whether or not the key is indexed in the table map.
	The following examples show the table map details for indexed
	and non-indexed meta:
	Indexed:
	<mapping
	envisionName="device.ip"nwName="device.ip"

	format="IPv4"	flags="None"/>
	Not Indexed: <mapping
	envisionName="device.ip"nwName="device.ip"

	format="IPv4"	flags="Transient"/>

Index-Concentrator	Whether or not the key is available in the default index-concentrator.xml.

We hope you find this tool useful and welcome any feedback or suggestions for improvement. Please feel free to leave any constructive feedback in the comments below!

JayShah · ‎2017-11-15

Currently we have posted output of the meta dictionary tool, which provides all parser and meta related information. We will be providing such result outputs on quarterly basis. Tool will be eventually released, currently it is under development.

someone · ‎2017-11-16

Excellent idea and initiative!

I will post some feedback after spending some time with it.

Thank you

Anonymous · ‎2017-11-28

This was a great idea and is truly helpful! I've spent a few years working with the table-maps, indexes, and the ESI tool to modify or create new parsers, present data in different ways, etc... This will be very useful and greatly speed up some of the work I do on our system.

Thank You!

James

AndrewThompson2 · ‎2017-12-21

Hi

I think this is a good start and something that's been needed for some time.

I would like to suggest that you should have the option to lookup the meta key directly rather than knowing which parser to look in first. This may help identify instances where the same meta keys are used in different parsers but have different uses and may aid with normalization across parsers.

Eventually this feature would be great to build into the Netwitness UI so users could right click and get a user friendly meta key description.

Thanks.

Anonymous · ‎2017-12-21

Excellent work! Is anything like this being created for packet parsers?

DesmondKwang · ‎2018-01-09

Great tool, especially helpful for new hire like me.

I agreed with Andrew Thompson that it would be awesome to have an option to search for meta key across all parsers.

MarcoDemonte · ‎2018-01-24

Amazing, thank you!

marco

VarunGovindaraj · ‎2019-04-01

Great work It eases the work

Varun P G

CarolBoijaud · ‎2020-01-13

Thanks for the work. How did you generate the data.meta file? Indeed, it would be interesting for us to generate one with our own custom parsers and our own table-maps and index files..

If we could recreate a data.meta file with our own parsers etc. it would be amazing.. Could you please share a way to generate this file?

Thanks!

Carole

BohdanR · ‎2020-03-31

This looks like a useful tool, but I didn't find any update for it. Where can I find the quarterly updated data and possibly released version of the tool? I don't see any updates here since the initial post in 2017...

MarcoDemonte1 · ‎2020-04-29

Hello Carol,

at https://community.rsa.com/community/products/netwitness/blog/2019/04/03/netwitness-log-network-parser-meta-mapping there is a little development and update of this amazing tool. I haven't test it yet but it should answer to your question.

Best regards

Marco

NetWitness Community

RSA NetWitness Meta Dictionary Tool