2017-09-12 10:05 PM
This would make it an easier platform for testing custom lua parsers. I am currently loading up a lua parser, restarting the decoder service and then watching the output to try debug.
2017-09-12 10:06 PM
It is possible to test custom lua parsers with NetWitness Investigator, if you develop and install your own Lua parsers, place them in the C:\ProgramData\NetWitness\ng\parsers directory.
Some sample parsers are included with the installer and should be installed in that location by default. You must restart Investigator to see new parsers. If you update an existing parser, it will be picked up when capture or import starts.
More details can be found in the NetWitness Investigator user guide https://community.rsa.com/docs/DOC-58518.
For detailed information about how to work with Lua parsers, see the Parsers Book on RSA Link (https://community.rsa.com/docs/DOC- 41370).
2017-09-12 10:13 PM
Yes. Do it all the time.
Simply add the parser to your C:\ProgramData\NetWitness\ng\parsers directory.
If you need to add custom meta keys, change the index-investigator.xml file located in C:\Program Files\RSA\NetWitness Investigator 10.6.
Please note you may have to close and restart the Investigator client for the new parsers or meta keys to come in. If testing a parser, you can probably just make the changes and reprocess a collection. I think a client restart is not necessary in that case.
Chris