How do you get the "Name Value Pairs" (TagVal) option in LPT?
I'm having issues creating a message with the LPT tool using the TagVal option.
I have read the LPT user guide, specifically this section:
The Name Value Pair is disabled by default and it is enabled for user input only if the message definitions satisfy the <TAGVAL> format, as shown in the following examples.
The TAGVAL format is either:
The TAGVAL in my .XML looks like:
My sample log file looks like the following (which to my eyes matches the format requirement). I'm setting the payload just after the | pipe after "Detection" (my message id).
CEF:0|RSA|Detection|Alias Host: DESKTOP-NAME|IP Src: 10.11.22.33|IP Src1: 100.77.88.99|Mac: 00:11:22:33:44:55|
From there, I'm stuck. The check box for "Name Value Pairs" is still not selectable.
Any ideas on what I'm doing incorrectly?
- Community Thread
- Forum Thread
- log parser community
- NetWitness Log Parser Tool
- RSA NetWitness
- RSA NetWitness Platform
I have moved this thread to the RSA NetWitness Suite" data-type="space so that you can get an answer to your question.
You're not doing anything wrong- the LPT has a bug regarding the tagval. I encountered a similar issue: when any change is made to an existing message, the Name Value Pairs option is removed.
The only way I have found is to manually add tagval="true" to the message in the xml text file. After you make your parser in LPT, export the parser, change the filetype from .envision to .zip and extract the xml. You can then add tagval="true" where needed, save and reload back into LPT to confirm it's there.