This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to call fld30 on investigation tab?

Go to solution
UtsavSejpal
Beginner
Beginner

‎2017-08-01 01:24 AM

Hello Folks,

 

We have recently integrated TrendMicro web proxy device (version 6.5-SP2_Build_Linux_1731) with the SA. There's a specific filed which we notice in the row log "tk_size" which provides information about data transfer done in the particular session.

 

On the SA however, this field gets merged in "msg" section and support asked us to create the custom parser to accommodate the requirement. 

 

pastedImage_2.png

 

While opening the log on ESI tool, I could notice that fld30 has been assigned to tk_size field already (PFA). Is there a way to call this meta "fld30" to investigation tab?

 

Any help much appreciated!! 

 

Best Regards,

Utsav Sejpal

Preview file
208 KB
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to UtsavSejpal

‎2017-08-02 04:01 PM

You can;t just save the parser to a new name.  there are other files that refer to that parser by name.

 

Just save the parser as the same name to test and make sure your changes provide the results you expect

 

Dave

View solution in original post

5 REPLIES 5

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-08-01 08:02 AM

The 'fldx' variables are used as placeholders in the parsers.  There are a couple ways to make this data available.

 

The first way, as you requested is to enable 'fld30' in the tablemap and then index the variable is one way.  However, this will have unintended consequences, that variable is possibly used in many parsers and you will end up seeing more than you expect.  This is not the proper way to proceed.

 

Second, since you have the ESI tool open, you could change the 'fld30' variable to something else that is currently enabled in the system.  Once you do this the data will be available throughout the system.  This will work as you expect.  The downside of this is when a new parser gets posted to live, if you have subscribed to it, it will overwrite your changes back to defaults.  This can be prevented by not subscribing to parser updates.

 

Lastly would be submit a case with support to add in the changes you would like into the OOTB parser.

 

I would use a combination of 2 and 3. 

 

That way you have the data available now while you wait for the OOTB parser to be changed.

 

Hope that helps

 

Dave

Go to solution
UtsavSejpal
Beginner
Beginner
In response to DaveGlover

‎2017-08-01 09:59 PM

Hi wRAlmdLu8uOnkbiouAPmB5mqnlFr6baANOTo7eT0Oa4=

 

Thanks for your inputs.  

 

I tried to rename the meta "fld30" to "bytes" and saved the parser with a new name. I then uploaded newly created .xml and .ini files to the Log decoder CLI into below location:

 

/etc/netwitness/ng/envision/etc/devices

 

I gave full permission to the newly added folder and files (.xml and .ini) 

 

I restarted log decoder service and was trying to locate newly added parser in the general tab of log decoder (SA GUI) but couldn't find the one. 

 

Am I doing it correctly or is there any other way to upload custom parsers to SA? 

 

Best Regards,

Utsav Sejpal

0 Likes

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to UtsavSejpal

‎2017-08-02 04:01 PM

You can;t just save the parser to a new name.  there are other files that refer to that parser by name.

 

Just save the parser as the same name to test and make sure your changes provide the results you expect

 

Dave

Go to solution
EricPartington
Employee
Employee

‎2017-08-03 07:03 PM

I would add another options which would be to write a lua parser that specifically looks for the value in fld30 in that msg.id for that device type and moves it to the appropriate metakey for your need.  That way you aren't changing the parser, indexing a temp value or any other changes.

 

There are examples on Link for parsers to move specific values around for log messages that you can use for a template.

Go to solution
UtsavSejpal
Beginner
Beginner
In response to DaveGlover

‎2017-08-03 07:08 PM

Hi wRAlmdLu8uOnkbiouAPmB5mqnlFr6baANOTo7eT0Oa4=‌,

 

Thanks for your help. It worked like a charm

 

Best Regards,

Utsav Sejpal

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.