000034766 - Error occurs related to traffic_flow_options.lua file in RSA NetWitness

Document created by RSA Customer Support Employee on Feb 6, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000034766
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Packet Decoder
RSA Version/Condition: 10.5.x, 10.6.x
 
IssueMetadata from the traffic_flow lua parser is not getting parsed, are not found in investigations and there is an error related to the "traffic_flow_options.lua" file in /var/log/messages on the host.
The error log observed in /var/log/messages is something like:

Throw in function static void nw::LuaPackage::require(lua_State*, const string&) Dynamic exception type: boost::exception_detail::clone_impl std::exception::what: LUA_ERRRUN: [string "traffic_flow_options.lua"]:125: '}' expected (to close '{' at line 23) near '[' [boost::errinfo_at_line_*] = 446 module('traffic_flow_options')



 
CauseThere is a syntactical error in the traffic_flow_options.lua file that prevents the file from parsing and thus prevents the parser from functioning properly.  
Review the log ientry from /var/log/messages: 
 
Throw in function static void nw::LuaPackage::require(lua_State*, const string&) Dynamic exception type: boost::exception_detail::clone_impl std::exception::
what: LUA_ERRRUN: [string "traffic_flow_options.lua"]:125: 
'}' expected (to close '{' at line 23) near '[' [boost::errinfo_at_line_*] = 446 module('traffic_flow_options')

Line breaks have been added to the log entry for clarity.
The highlighted content indicates that there is a syntactical in line 124 of the the configuration files.  There may be errors on more than this line so review all lines carefully for syntax errors. 
 
Line Statement
001  module('traffic_flow_options') 
002  --[=[ 
003  Defaults are defined below. 
004  For proper direction meta: 
005    (a) add ALL internal subnets 
006    (b) DO NOT add any external subnets 
007  Any subnets not listed will result in "other", e.g. netname: other src 
008  Use only cidr notation. Specifically, don't use a netmask like "255.255.255.0" 
009  Both shorthand and normal cidr are valid. 
010  If netmask is omitted, /32 is assumed. 
011  --]=] 
012  function definitions() 
013    return { 
014         ["0/8"] = "broadcast", 
015         ["10/8"] = "private", 
016         ["10.2.100.0/23"] = "vlan1122 switch02_voice", 
017         ["10.3.100.0/23"] = "vlan1103 switch03_voice", 
018         ["10.4.100.0/23"] = "vlan0114 switch04_voice", 
019         ["10.5.100.0/23"] = "vlan1155 switch05_voice", 
020         ["10.6.100.0/23"] = "vlan1166 switch06_voice", 
            [snipped] 
100         ["127/8"] = "loopback", 
101         ["169.254/16"] = "link-local", 
102         ["172.15/12"] = "private", 
            [snipped]
124         ["172.10/16"] = "vdi01" 
125         ["172.11.6.0/24"] = "bldg01_lab" 
126         ["172.12.6.0/24"] = "bldg02_office25" 
127         ["172.130.6.0/24"] = "bldg03_lab" 
            [snipped]
130         ["224/4"] = "multicast", 
132         ["240/4"] = "reserved", 
133         ["255.255.255.255/32"] = "broadcast", 
134    }  
135  end

Note that lines 124 through 127 do not terminate with a comma (",") which is invalid syntax.
 
ResolutionCorrect the syntax error in the file and restart the nwdecoder service to read the parsers and start processing metadata.
  1. Logon to the Decoder via ssh as root.
  2. Edit the options file:   
vi /etc/netwitness/ng/parsers/traffic_flow_options.lua

  1. Enter Insert mode
  2. Scroll to lines 124 through 127 and add a comma (",") at the end of each line.
  3. Save and exit the file
  4. Restart the nwdecoder service:
restart nwdecoder

Validate the changes by performing an investigation to confirm that metadata is now getting created on this appliance.
 

Attachments

    Outcomes