AnsweredAssumed Answered

How do you get the "Name Value Pairs" (TagVal) option in LPT?

Question asked by Kevin Cole on Feb 7, 2018
Latest reply on May 4, 2018 by Philip McLeod

I'm having issues creating a message with the LPT tool using the TagVal option.

 

I have read the LPT user guide, specifically this section:

 

The Name Value Pair is disabled by default and it is enabled for user input only if the message definitions satisfy the <TAGVAL> format, as shown in the following examples.

 

The TAGVAL format is either:
<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedelimiter><variable> format

 

Or

 

<literal><valuedelimiter><variable><pairdelimiter>….<literal><valuedelimiter><variable><pairdelimiter> format

 

The TAGVAL in my .XML looks like:

 

<TAGVALMAP
pairdelimiter="|"
valuedelimiter=":"/>

 

My sample log file looks like the following (which to my eyes matches the format requirement). I'm setting the payload just after the | pipe after "Detection" (my message id).

 

CEF:0|RSA|Detection|Alias Host: DESKTOP-NAME|IP Src: 10.11.22.33|IP Src1: 100.77.88.99|Mac: 00:11:22:33:44:55|

 

From there, I'm stuck. The check box for "Name Value Pairs" is still not selectable.

 

Any ideas on what I'm doing incorrectly?

lpt

Attachments

Outcomes