Error occurs related to traffic_flow_options.lua file in RSA NetWitness

Issue

Metadata from the traffic_flow lua parser is not getting parsed, are not found in investigations and there is an error related to the "traffic_flow_options.lua" file in /var/log/messages on the host.

The error log observed in /var/log/messages is something like:

 Throw in function static void nw::LuaPackage::require(lua_State*, const string&) Dynamic exception type: boost::exception_detail::clone_impl std::exception::what: LUA_ERRRUN: [string "traffic_flow_options.lua"]:125: '}' expected (to close '{' at line 23) near '[' [boost::errinfo_at_line_*] = 446 module('traffic_flow_options')

Cause

There is a syntactical error in the traffic_flow_options.lua file that prevents the file from parsing and thus prevents the parser from functioning properly.

Review the log entry from /var/log/messages:

 Throw in function static void nw::LuaPackage::require(lua_State*, const string&) Dynamic exception type: boost::exception_detail::clone_impl std::exception::
 
what: LUA_ERRRUN: [string "traffic_flow_options.lua"]:
 125: 
 
'}' expected (to close '{' at line 23) near '[' [boost::errinfo_at_line_*] = 446 module('traffic_flow_options')

Line breaks have been added to the log entry for clarity.

The highlighted content indicates that there is a syntactical in line 124 of the the configuration files. There may be errors on more than this line so review all lines carefully for syntax errors.

 Line Statement
 
 module('traffic_flow_options') 
 
 --[=[ 
 
 Defaults are defined below. 
 
 For proper direction meta: 
 
   (a) add ALL internal subnets 
 
   (b) DO NOT add any external subnets 
 
 Any subnets not listed will result in "other", e.g. netname: other src 
 
Use only cidr notation. Specifically, don't use a netmask like "255.255.255.0" 
 
 Both shorthand and normal cidr are valid. 
 
 If netmask is omitted, /32 is assumed. 
 
 --]=] 
 
 function definitions() 
 
   return { 
 
        ["0/8"] = "broadcast", 
 
        ["10/8"] = "private", 
 
        ["10.2.100.0/23"] = "vlan1122 switch02_voice", 
 
        ["10.3.100.0/23"] = "vlan1103 switch03_voice", 
 
        ["10.4.100.0/23"] = "vlan0114 switch04_voice", 
 
        ["10.5.100.0/23"] = "vlan1155 switch05_voice", 
 
        ["10.6.100.0/23"] = "vlan1166 switch06_voice", 
 
            [snipped] 
 
        ["127/8"] = "loopback", 
 
        ["169.254/16"] = "link-local", 
 
        ["172.15/12"] = "private", 
 
            [snipped]
 
        
 ["172.10/16"] = "vdi01" 
 
        
 ["172.11.6.0/24"] = "bldg01_lab" 
 
        
 ["172.12.6.0/24"] = "bldg02_office25" 
 
       
 ["172.130.6.0/24"] = "bldg03_lab" 
 
            [snipped]
 
        ["224/4"] = "multicast", 
 
        ["240/4"] = "reserved", 
 
        ["255.255.255.255/32"] = "broadcast", 
 
   }  
 
 end

Note that lines 124 through 127 do not terminate with a comma (",") which is invalid syntax.

Resolution

Correct the syntax error in the file and restart the nwdecoder service to read the parsers and start processing metadata.

Logon to the Decoder via ssh as root.
Edit the options file:

  vi /etc/netwitness/ng/parsers/traffic_flow_options.lua
 

Enter Insert mode
Scroll to lines 124 through 127 and add a comma (",") at the end of each line. Note that the lines may be different than the example, so only alter the necessary lines.
Save and exit the file.
Restart the nwdecoder service:

  systemctl restart nwdecoder
 

Validate the changes by performing an investigation to confirm that metadata is now getting created on this appliance.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Decoder
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS/Alma Linux

Summary

Metadata from the traffic_flow lua parser is not getting parsed, not showing in investigations and there is an error related to the traffic_flow_options.lua file in /var/log/messages

Approval Reviewer Queue

Technical approval queue