Chaitra Kulkarni

RSA NetWitness Meta Dictionary Tool

Blog Post created by Chaitra Kulkarni Employee on Nov 13, 2017

The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event source has a respective log parser for parsing the content of each log.  The Meta Dictionary tool describes the metadata used in each of the parsersd.

 

This blog post is intended to help a user understand how to use the tool so they can see the various metadata used in a parser, description of each of the metadata keys and the number of times each metadata keys appear in a parser.

 

Deployments

 You need to download the following attachments from the blog post:

  • data.meta file
  • metadictionary.html file

 

Supported Browsers

  • Google Chrome version 44 or later
  • Firefox version 36 or later
  • Internet Explorer 10 or later
  • Safari version 7 or later

  

Viewing Meta Data Definitions

  Once you open metadictionary.html file in a browser you will see something similar to the screenshot below.

The screen contains the following sections:

  • Left Navigation pane: contains a list of all the parsers.
  • Details pane: contains the meta details for the selected parser.

 

This tool offers the flexibility to search for meta keys, data type, etc. as shown in the image below.

In the above screen, we have searched for ipv4, and three occurrences were found; note that the search is case insensitive.

 

Screen Reference

 

Screen

Item

 

 

Description

 

 

 

 

 

 

 

 

Parser Name/Version

 

 

Left Navigation Pane, and Details Panedisplays Parser Name and Version

 

 

 

Search

 

 

 

A free text search box that you can use to filter results

 

 

 

 

 

 

 

Show/Hide Columns

 

 

Drop down menu from each Column Header allows you to display or hide column

 

 

 

Column Reference

The following table describes each of the available columns that contain the meta data for the parsers.

 

Column Name

Description

Investigation Display Name

The value displayed in Investigation Page of RSA NetWitness  UI for each Meta

Parser Metakey(occurrences)

Meta key as used in the Parser and its count in parenthesis. For example, for the

 

aix parser, the saddr meta key occurs 151 times in the parser definition

SA Metakey

Corresponding Meta Name for the meta key in parser definition. Meta Name is used

 

in RSA NetWitness  Suite

Metakey Description

The description for the key.

TableMapDatatype

The data type of a meta key, as listed in the default table map.xml.

TableMap Indexed

Whether or not the key is indexed in the table map.

 

The following examples show the table map details for indexed

 

and non-indexed meta:

 

Indexed:

 

<mapping

 

envisionName="device.ip"nwName="device.ip"

 

 

 

 

format="IPv4"

flags="None"/>

 

 

 

Not Indexed: <mapping

 

envisionName="device.ip"nwName="device.ip"

 

 

 

format="IPv4"

flags="Transient"/>

 

 

 

Index-Concentrator

Whether or not the key is available in the default index-concentrator.xml.

 

We hope you find this tool useful and welcome any feedback or suggestions for improvement.  Please feel free to leave any constructive feedback in the comments below!

Attachments

Outcomes