2018-12-16 01:55 PM
Hi
I am trying to create a lua parser for custom log event source. I have below queries w.r.t lua parser.
Regards
Shrinidhi
2018-12-16 02:09 PM
Out of curiosity what are you trying to use a LUA parser for logs? Log Parsers are written in XML using the Log Parser Tool
2018-12-16 02:18 PM
I have a requirement to carve out few strings from the log. There is a parser for this event source and it parses my string of interest into a meta-key, but due to the larger string length, the value is getting parsed partially. Due to this i am unable to extract the required strings. Hence i thought of using raw log itself to take out required strings as there is no size limit for raw meta-key.
Please let me know for further clarifications.
2018-12-16 11:13 PM
You may want to explore extending the existing parser to split the content into the field you want the data to reside in. There’s a functionality to extend existing parsers in the link below with an example:
https://community.rsa.com/docs/DOC-95719
Sent from my iPhone
2018-12-17 08:02 AM
Just to be clear, it is possible to use Lua in this instance, however, it would be best to use the options referenced above. If we were just to operate on meta, then we could certainly do meta callbacks and perform the operations we need (typically string manipulation). However, if we had to go against the raw log, we would need to create tokens to match the log we need. This is not the same as 'raw' as I think that is just a representation of the actual log file itself and not actually meta. It would be similar to how we create parsers on network traffic. It can be done, but the above suggestion would be the best course of action in my opinion.
2018-12-17 08:16 AM
Thanks Everyone..
Thought of using raw came into my mind due to the truncated value observed in a parsed meta-key. Is there any way to address truncation issue. If this can be addressed then i can use the same meta-key for lua parser.
2018-12-17 08:21 AM
Depending on what the log looks like, we might be able to add/change the xml parser to break up these truncates values into more meta.
Are you able to shared the logs?
Feel free to reach out to me at my RSA address. Dave dot Glover at rsa dot com
Thanks
2018-12-17 08:58 AM
If I'm understanding correctly - the xml log parser is registering the string, but the resulting meta value is truncated at 255 characters? If so, then using lua won't address that.. Even when registered by a lua parser, meta values are still limited to 255 characters.