on Jul 16, 2018Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.
Note the following:
- If you deploy the options file, it can be found in the same directory as parsers:
/etc/netwitness/ng/parsers/. - The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
- If you do not have an options file (or if your options file is invalid), the parser uses the default settings.
Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.
The SMTP_lua_options file contains the following options for controlling the parser:
- registerEmailSrcDst
- registerAddressHosts
- errorCodeOnly
To change an option from false to true, edit the line inside the corresponding function, from
return false
to
return true
And similarly to go from true to false.
registerEmailSrcDst
Default value: false
Determines whether or not to register email address meta using the index keys email.src and email.dst.
- If set to false, all email address meta is registered with the index key email.
-
If set to true:
- Originating email addresses are registered with the index key email.src
- Recipient email addresses are registered with the index key email.dst
- Targets of EXPN and VRFY are registered with the index key email.dst
Note: Modifying this option requires a service restart to take effect; a simple parser reload is insufficient.
registerAddressHosts
Default value: false
Determines whether or not to register the host portion of email addresses as meta. The key used to register is alias.host, alias.ip, or alias.ipv6 as appropriate.
errorCodeOnly
Default value: true
Determines whether or not to register error codes only, or the entire error messages.
- If set to true, only the error code (such as "450", "550", and so on) is registered.
- If set to false, the entire error message is registered (e.g., "550 unknown user"). In the case of a 421 server greeting, the server name is removed from the error text and be registered as alias.[host|ip|ipv6] instead.
