Metadata from the traffic_flow lua parser is not getting parsed, are not found in investigations and there is an error related to the "traffic_flow_options.lua" file in /var/log/messages on the host.
The error log observed in /var/log/messages is something like:
Throw in function static void nw::LuaPackage::require(lua_State*, const string&) Dynamic exception type: boost::exception_detail::clone_impl std::exception::what: LUA_ERRRUN: [string "traffic_flow_options.lua"]:125: '}' expected (to close '{' at line 23) near '[' [boost::errinfo_at_line_*] = 446 module('traffic_flow_options')
There is a syntactical error in the traffic_flow_options.lua file that prevents the file from parsing and thus prevents the parser from functioning properly.
Review the log entry from /var/log/messages:
Throw in function static void nw::LuaPackage::require(lua_State*, const string&) Dynamic exception type: boost::exception_detail::clone_impl std::exception::
what: LUA_ERRRUN: [string "traffic_flow_options.lua"]:125:
'}' expected (to close '{' at line 23) near '[' [boost::errinfo_at_line_*] = 446 module('traffic_flow_options')
Line breaks have been added to the log entry for clarity.
The highlighted content indicates that there is a syntactical in line 124 of the the configuration files. There may be errors on more than this line so review all lines carefully for syntax errors.
Line Statement
001 module('traffic_flow_options')
002 --[=[
003 Defaults are defined below.
004 For proper direction meta:
005 (a) add ALL internal subnets
006 (b) DO NOT add any external subnets
007 Any subnets not listed will result in "other", e.g. netname: other src
008 Use only cidr notation. Specifically, don't use a netmask like "255.255.255.0"
009 Both shorthand and normal cidr are valid.
010 If netmask is omitted, /32 is assumed.
011 --]=]
012 function definitions()
013 return {
014 ["0/8"] = "broadcast",
015 ["10/8"] = "private",
016 ["10.2.100.0/23"] = "vlan1122 switch02_voice",
017 ["10.3.100.0/23"] = "vlan1103 switch03_voice",
018 ["10.4.100.0/23"] = "vlan0114 switch04_voice",
019 ["10.5.100.0/23"] = "vlan1155 switch05_voice",
020 ["10.6.100.0/23"] = "vlan1166 switch06_voice",
[snipped]
100 ["127/8"] = "loopback",
101 ["169.254/16"] = "link-local",
102 ["172.15/12"] = "private",
[snipped]
124 ["172.10/16"] = "vdi01"
125 ["172.11.6.0/24"] = "bldg01_lab"
126 ["172.12.6.0/24"] = "bldg02_office25"
127 ["172.130.6.0/24"] = "bldg03_lab"
[snipped]
130 ["224/4"] = "multicast",
132 ["240/4"] = "reserved",
133 ["255.255.255.255/32"] = "broadcast",
134 }
135 end
Note that lines 124 through 127 do not terminate with a comma (",") which is invalid syntax.
Correct the syntax error in the file and restart the nwdecoder service to read the parsers and start processing metadata.
- Logon to the Decoder via ssh as root.
- Edit the options file:
vi /etc/netwitness/ng/parsers/traffic_flow_options.lua
- Enter Insert mode
- Scroll to lines 124 through 127 and add a comma (",") at the end of each line. Note that the lines may be different than the example, so only alter the necessary lines.
- Save and exit the file.
- Restart the nwdecoder service:
systemctl restart nwdecoder
Validate the changes by performing an investigation to confirm that metadata is now getting created on this appliance.