Hi Folks,
This is the first time I am trying to develop an UDS for Trend Micro Vulnerability protection manager device
Steps which I followed are
1. Developing the parser using ESI tool
2.Extracting the ESI package to devicename.ini and devicenamemsg.xml files
3. Uploading the files to /etc/netwitness/ng/envision/etc/devices of log decoder
4.Adding key description for the key to index-concentrator-custom.xml file
5.Editing the table-map-custom.xml to change the variable and to add entries that do not exist in the file.
Do I need to follow any other step?
Also I have doubts in editing index file and the table-map file.
Can anyone help me on this?
Thanks,
Ajay
That's pretty much what we're doing.
You will need to reload the parsers, either by restarting the decoder, or preferably by using the /decoder/parsers reload command via NwConsole/REST screens. This will re-read table-map-custom.xml as well. You'll need to restart the concentrator to get it to re-read index-concentrator-custom.xml
.
table-map-custom entries are generally of the format:
<mapping envisionName="sport" nwName="ip.srcport" flags="None" format="UInt16" envisionDisplayName="SourcePort|LocalPort|ServerPort", nulltokens="-|(null)" />
envisionName is the field the parser populates, and nwName is the meta key it's mapped to.
flags=None is the usual specification. If you specify flags="Transient" then the meta is available to decoder app rules but is not saved.
I've not figured out the significance of the envisionDisplayName field.
nulltokens is useful for some meta values - any of the options in here will be not be stored.
One of the biggest limitations of the ESI tool is that it requires you to remain within the EnVision table limitations which no longer apply in SA. I'm hopeful of an SA-specific tool being available soon.