This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Meta Mapping Fields

RSAAdmin
Beginner
Beginner

‎2015-01-05 08:27 AM

Is there any documentation on the default RSA Meta keys/fields and what they mean? I think it would be pretty beneficial for RSA to provide this to the end users to clarify what they can search for within the product.

0 Likes
6 REPLIES 6

Anonymous
Not applicable

‎2015-01-05 08:43 AM

Not only is there no documentation, there's often inconsistency in how these fields are used.

 

For example, user.dst is normally the user on which the action is performed (account logged into, account manipulated), but it's also used for the user initiating an action by the bluecoat parser.  Similarly firewall parsers often populate ip.srcport and ip.dstport but the network packet parsers populate udp.dstport/tcp.dstport or the srcport equivalents.  Similarly there's no resolution from name to IP so you're stuck with whatever happened to be in the logs with little or no enrichment.

 

The other thing that's missing is clear documentation of the log taxonomy model.

 

After 18 months with SA, and a couple of years with EnVision beforethat, I generally have a pretty good idea of what goes where, but the inconsistencies in the standard parsing drive my users crazy.

 

If you've dug down to the level of writing your own parsers, then it's worth spending some time looking at table-map.xml and index-concentrator.xml.  We've made extensive modifications to these (via the -custom.xml) files to ensure the right metadata is stored and indexed in the way we need it.  I'm not sure many organisations could justify the amount of time we've spent on it, though.

Anonymous
Not applicable
In response to Anonymous

‎2015-01-05 02:11 PM

Everything Andy said is correct.  I do not use any of the default parsers anymore.  I will normally do a quarterly merge of any updates RSA has implemented but changing where parsers go helps a lot in making everything normalized. 

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-01-28 08:42 AM

Thanks guy, would any of you happen to have documentation on how to write log parsers? I have found little to no information how to write log parsers, let alone even read them. 

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2015-01-28 01:31 PM

I'm not sure if this fits the bill, but posted this last month:

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-01-28 01:34 PM

Thanks, It appears that this documentation only covers packet parsers.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2015-01-28 01:56 PM

you can use the event source integrator (ESI Tool), that's used for envision.to create custom parsers. and the install the parser into the log decoder (there are some posts on this) you can check the Security Analytics parser so you can have an idea on how to do it. Just a heads up... it's not that easy

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.