Lua Parser against raw meta-key
I am trying to create a lua parser for custom log event source. I have below queries w.r.t lua parser.
- Is it possible to restrict the lua parser to run against a particular device type
- Is it possible to use raw meta-key as the input for lua parser against the operations can be done. Also will there be any impact on the Log Decoder performance if I use raw meta-key
- Community Thread
- Forum Thread
- lua parsers for logs
- RSA NetWitness
- RSA NetWitness Platform
I have a requirement to carve out few strings from the log. There is a parser for this event source and it parses my string of interest into a meta-key, but due to the larger string length, the value is getting parsed partially. Due to this i am unable to extract the required strings. Hence i thought of using raw log itself to take out required strings as there is no size limit for raw meta-key.
Please let me know for further clarifications.
You may want to explore extending the existing parser to split the content into the field you want the data to reside in. There’s a functionality to extend existing parsers in the link below with an example:
Sent from my iPhone
Just to be clear, it is possible to use Lua in this instance, however, it would be best to use the options referenced above. If we were just to operate on meta, then we could certainly do meta callbacks and perform the operations we need (typically string manipulation). However, if we had to go against the raw log, we would need to create tokens to match the log we need. This is not the same as 'raw' as I think that is just a representation of the actual log file itself and not actually meta. It would be similar to how we create parsers on network traffic. It can be done, but the above suggestion would be the best course of action in my opinion.
Thought of using raw came into my mind due to the truncated value observed in a parsed meta-key. Is there any way to address truncation issue. If this can be addressed then i can use the same meta-key for lua parser.
Depending on what the log looks like, we might be able to add/change the xml parser to break up these truncates values into more meta.
Are you able to shared the logs?
Feel free to reach out to me at my RSA address. Dave dot Glover at rsa dot com
If I'm understanding correctly - the xml log parser is registering the string, but the resulting meta value is truncated at 255 characters? If so, then using lua won't address that.. Even when registered by a lua parser, meta values are still limited to 255 characters.