This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How do you get the "Name Value Pairs" (TagVal) option in LPT?

KevinCole
Beginner
Beginner

‎2018-02-07 10:58 AM

I'm having issues creating a message with the LPT tool using the TagVal option.

 

I have read the LPT user guide, specifically this section:

 

The Name Value Pair is disabled by default and it is enabled for user input only if the message definitions satisfy the <TAGVAL> format, as shown in the following examples.

The TAGVAL format is either:
<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedelimiter><variable> format

Or

<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedelimiter><variable><pairdelimiter> format

 

The TAGVAL in my .XML looks like:

 

<TAGVALMAP
pairdelimiter="|"
valuedelimiter=":"/>

 

My sample log file looks like the following (which to my eyes matches the format requirement). I'm setting the payload just after the | pipe after "Detection" (my message id).

 

CEF:0|RSA|Detection|Alias Host: DESKTOP-NAME|IP Src: 10.11.22.33|IP Src1: 100.77.88.99|Mac: 00:11:22:33:44:55|

 

From there, I'm stuck. The check box for "Name Value Pairs" is still not selectable.

 

Any ideas on what I'm doing incorrectly?

#lpt

Preview file
7 KB
0 Likes
2 REPLIES 2

jeffshurtliff
Administrator Administrator
Administrator

‎2018-02-07 01:03 PM

Hi,

 

I have moved this thread to the RSA NetWitness Suite" data-type="space so that you can get an answer to your question.

 

You can post future questions and discussions directly to that community by clicking on the Ask a Question or Start a Discussion button on the RSA NetWitness Suite" data-type="space page.

 

netwitness_discussions-section.png

 

Thanks,
Jeff

0 Likes

PhilipMcLeod
Beginner
Beginner

‎2018-05-04 10:42 AM

Kevin,

You're not doing anything wrong- the LPT has a bug regarding the tagval. I encountered a similar issue: when any change is made to an existing message, the Name Value Pairs option is removed.

 

The only way I have found is to manually add tagval="true" to the message in the xml text file. After you make your parser in LPT, export the parser, change the filetype from .envision to .zip and extract the xml. You can then add tagval="true" where needed, save and reload back into LPT to confirm it's there.

-Philip

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.