This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

lua - nw.log* functions

RSAAdmin
Beginner
Beginner

‎2014-04-09 12:31 PM

The lua parser documentation I have has some notes at the very, very end about debugging lua parsers.  "If you like you can also send information to the log" and references of some nw.log* functions - nw.logDebug, nw.logInfo, nw.logWarning, etc.

 

What is "the log" as relates to those functions?  When i use these functions I never see anything - I've looked in /var/log/messages and in the log tab in administrator when running against an actual decoder, and checked the NwInvestigator9.log when running it through a local Investigator instance.

 

When I look at the declaration of those functions in nw-api.lua, they appear to be empty functions (function nw.logDebug(msg) end) -- or are those just the function prototypes and the real work is done in other, lower-level libraries?

 

Beyond these functions, does anybody have hints or tips or tricks for debugging lua parsers other than registering your values or debugging information as "dummy" meta?

0 Likes
5 REPLIES 5

RSAAdmin
Beginner
Beginner

‎2014-04-09 12:47 PM

Okay, just realized that the outputs ARE showing up in NwInvestigator9.log after all.

 

I'll leave this posted up for posterity's sake and for anybody else who comes looking for debug information for lua parsers, or if anybody has any other hints or tricks that they want to add as well.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-10 03:31 PM

Glad you got it working.

 

Since you're working with 9.x, be aware that there are differences for a 10+ decoder.  The most important one is that the following will return signed values (which is usually not what you want):

 

  payload:byte()

  payload:short()

  payload:int()

 

When you want unsigned values (which is most of the time) you'll need to use:

 

  payload:uint8()

  payload:uint16()

  payload:uint32()

 

For nw-api.lua - those function declarations don't do any real work, and lua parsing is in no way dependent upon it.  It's intended to document available parser-specific functions, and for syntax checking your parser as a lua 'dofile'.

0 Likes

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-04-11 10:06 PM

Hi I saw the lua parser presentation, just wondering below futures available or not?

 

Performance!

Parser development tools

Parser performance metrics

Content

Migrate native parsers where applicable

Expand current API

Packet level analysis

0 Likes

RichardB
Frequent Contributor
Frequent Contributor

‎2020-09-10 04:28 AM

Using NetWitness 11.4.1.2 I found that nw.logDebug() does not show up in /var/log/messages or /var/log/netwitness/decoder/NwServerLog.*.log. However, using nw.logInfo() does show up in both places. Is there any way to view the output of nw.logDebug() ? This is commonly used to log the version of the loaded lua parser.

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to RichardB

‎2020-09-10 08:43 AM

To see log messages at debug level, you'll need to enable debug level logging.  Debug logs are very verbose, not something you'd want to leave enabled all the time.

 

In the Explore view of Decoder, navigate to /logs/config.  In the entry for "Log Levels (log.levels)" add ",debug".  When you are done, remove ",debug".  Changes take effect immediately.

© 2022 RSA Security LLC or its affiliates. All rights reserved.