This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to Change Meta in Event Reconstruction

RenatoGoncalves
Beginner
Beginner

‎2018-09-27 09:56 AM

Hello,

 

We recently saw a log with both ports, source and destiny and we noticed that the event reconstruction only show on port:

Here's the log:

Sep 27 2018 10:58:45: %CHKPNT-6-050100: accept,100.07.200.106,inbound,bond50.1000,10.0.00.000,40020,83.240.149.119,443, ,tcp,42, , , , , , , , , , , , , , , , , , , , , , , ,27Sep2018 10:58:45,0,VPN-1 & FireWall-1,000.07.200.106,00023,10.3.205.7,0, , , ,https, , , , , , , , , , , , , , , , , , , , , , , ,051110, , , , , , , , ,74,1, , , , , ,{0CB00B0B-2000-40D3-B0C0-0020603010F0},BP0G0A000 FE, , ,

Now notice the Event Reconstruction:

 

Captura de ecrã de 2018-09-27 14-40-43.png

Captura de ecrã de 2018-09-27 14-40-47.png

I thought that maybe it was a problem with the parser...but open RSA Log Parser Tool and try it, putting a firewall log against the xml file for the model of our firewall and i noticed that both ports are parsed.

Captura de ecrã de 2018-09-27 14-01-36.png

Is their anyway to change the meta that appears in Event Reconstruction? I that case i choose to appear both ports.....                                                                                      

0 Likes
7 REPLIES 7

EricPartington
Employee
Employee

‎2018-10-01 03:33 PM

not sure what your question is, please add more details.

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-10-02 11:07 AM

In the last picture you can see that in the log parser tool, with the checkpoint parser it parsed both tcp ports: 50165 and 80.

In the raw log you can see that it has both ports, in the case port 80 and port 443 but when i click in view meta it only shows one of them: Destiny Port.

 

I want to know if its possible to show both ports, as they are in the log and are well parsed in the log parser tool

0 Likes

EricPartington
Employee
Employee
In response to RenatoGoncalves

‎2018-10-02 12:55 PM

my guess is that the first port is the source port and the second is the destination port.

 

check your table-map.xml on the log decoder, by default the ip.srcport is not indexed (transient)

<mapping envisionName="sport" nwName="ip.srcport" flags="Transient" format="UInt16"  nullTokens="-|(null)|N/A"/>

 

To see this data and have it preserved you need to take that line, add it to the table-map-custom.xml file on your log decoders and change the Transient to None

 

<mapping envisionName="sport" nwName="ip.srcport" flags="None" format="UInt16"  nullTokens="-|(null)|N/A"/>

 

Now restart your log decoder service to make that take effect.

 

You can push out the table-map-custom.xml to your other log decoders where you will need to restart their log decoder services if you want to keep all your table-map-custom.xml in sync.

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-11-27 10:36 AM

Hello Eric,

After i edited the file nothing has changed.....its necessary to do something else?

0 Likes

EricPartington
Employee
Employee
In response to RenatoGoncalves

‎2018-11-28 09:51 AM

did you restart the service after the change?

how did you verify that the change did not work?

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-11-29 05:43 PM

Hi Eric

 

Yes i restarted...

 

I opened a log, clicked in view meta and it still does not appear...

0 Likes

EricPartington
Employee
Employee
In response to RenatoGoncalves

‎2018-11-30 09:35 AM

I would open a support ticket with RSA to see if they can help you remotely solve this.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.