This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Lua Parser against raw meta-key

ShrinidhiShastr
Beginner
Beginner

‎2018-12-16 01:55 PM

Hi

I am trying to create a lua parser for custom log event source. I have below queries w.r.t lua parser.

  • Is it possible to restrict the lua parser to run against a particular device type
  • Is it possible to use raw meta-key as the input for lua parser against the operations can be done. Also will there be any impact on the Log Decoder performance if I use raw meta-key

 

Regards

Shrinidhi

0 Likes
7 REPLIES 7

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-12-16 02:09 PM

Out of curiosity what are you trying to use a LUA parser for logs?  Log Parsers are written in XML using the Log Parser Tool

0 Likes

ShrinidhiShastr
Beginner
Beginner
In response to DaveGlover

‎2018-12-16 02:18 PM

I have a requirement to carve out few strings from the log. There is a parser for this event source and it parses my string of interest into a meta-key, but due to the larger string length, the value is getting parsed partially. Due to this i am unable to extract the required strings. Hence i thought of using raw log itself to take out required strings as there is no size limit for raw meta-key.

 

Please let me know for further clarifications.

0 Likes

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-12-16 11:13 PM

You may want to explore extending the existing parser to split the content into the field you want the data to reside in. There’s a functionality to extend existing parsers in the link below with an example:

 

https://community.rsa.com/docs/DOC-95719

 

Sent from my iPhone

0 Likes

Anonymous
Not applicable

‎2018-12-17 08:02 AM

Just to be clear, it is possible to use Lua in this instance, however, it would be best to use the options referenced above.  If we were just to operate on meta, then we could certainly do meta callbacks and perform the operations we need (typically string manipulation).  However, if we had to go against the raw log, we would need to create tokens to match the log we need.  This is not the same as 'raw' as I think that is just a representation of the actual log file itself and not actually meta.  It would be similar to how we create parsers on network traffic.  It can be done, but the above suggestion would be the best course of action in my opinion.

0 Likes

ShrinidhiShastr
Beginner
Beginner
In response to Anonymous

‎2018-12-17 08:16 AM

Thanks Everyone..

 

Thought of using raw came into my mind due to the truncated value observed in a parsed meta-key. Is there any way to address truncation issue. If this can be addressed then i can use the same meta-key for lua parser.

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to ShrinidhiShastr

‎2018-12-17 08:21 AM

Depending on what the log looks like, we might be able to add/change the xml parser to break up these truncates values into more meta.

 

Are you able to shared the logs?

 

Feel free to reach out to me at my RSA address.   Dave dot Glover at rsa dot com

 

Thanks

0 Likes

WilliamMotley1
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to ShrinidhiShastr

‎2018-12-17 08:58 AM

If I'm understanding correctly - the xml log parser is registering the string, but the resulting meta value is truncated at 255 characters?  If so, then using lua won't address that..  Even when registered by a lua parser, meta values are still limited to 255 characters.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.