on Nov 28, 2017Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.
Note the following:
- If you deploy the options file, it can be found in the same directory as parsers:
/etc/netwitness/ng/parsers/. - The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
- If you do not have an options file (or if your options file is invalid), the parser uses the default settings.
Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.
By default, the LDAP parse only parses the username and password if the port is 389. The options file allows parsing from any specified port, as well as some other configuration.
The LDAP_options file contains the following options for controlling the parser:
- ports
- idOnly
- parseResponses
To change an option from false to true, edit the line inside the corresponding function, from
return false
to
return true
And similarly to go from true to false.
ports
Default value: "389, 686"
Specifies the ports on which to look for LDAP sessions. The value should be a comma or space delineated list of port numbers. For example:
"389, 686"
LDAP sessions on ports other than those listed will not be identified, nor parsed.
idOnly
Default value: false
If enabled, LDAP sessions will be identified but no meta will be extracted. This may improve overall system performance.
If enabled, the parseResponses option is ignored.
Note: Modifying this option requires a service restart to take effect; a simple parser reload is insufficient.
parseResponses
Default value: false
By default, meta is not extracted from LDAP responses. If you enable this option (set its value to true), meta will be extracted from LDAP responses. Note that this will result in a greater amount of meta, and may decrease overall system performance.
If enabled, the meta goes to ldap.response, which is a non-standard key.
