This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA® enVision Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-07-21 02:54 PM

How to tell what is in CONTENT Field

I have read the correlation rules document and it says:

 

Note: The value of the [CONTENT[ variable in the Set Statement Filter Window is the
same as the value of payload.

 

I am looking at windows messages and almost none of the messages in the XML have a !payload variable used.  Does this mean that the entire "content=" part of the message goes into [CONTENT]?

 

Is there a way to see what is actually in [CONTENT] so that I can write an appropriate regex?

 

Thanks!!!!!!!!  :smileyhappy:

0 Likes
Reply
3 Replies
RSAAdmin
Beginner
Beginner
‎2011-07-26 07:19 AM

The <!payload> marker is only found in the content parameter of the HEADER tags, so you will never see it in a MESSAGE tag.

 

The [CONTENT] option in the filter drop downs represents the remaining payload of the log event, i.e. where the <!payload> marker defined the MESSAGE tag to begin.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-07-26 03:58 PM

I found that overall, the absolute best way to get some transparency into what goes into each field (as it shows in the XML) is to use the ESI tool.  Select the XML for the device you are writing an alert for, use some of your test data, and it will show you exactly how it will parse and what goes into each field. 

 

The overall confusion for me seems to be the way that the variables in the XML don't always seem to clearly correspond to column names in a report and field names in an alert.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-08-02 11:46 AM

You are right and that is because the variable name can be different than the "Display Name". 

 

You can check the manage variables under System Configuration or you can check the table files in:

 

%ENVISION%\etc\sqltbl 

 

The second field is the Display Name for the field in the table.

 

Hopefully, this helps.

 

Paul

 

 

 

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.