How to monitor lua parsers in NetWitness Decoders

Issue

Customer sometimes wants to monitor statistics of lua parsers including custom lua parsers for performance reason in packet or log decoder. In this case, this script may help the customer to identify decoder's performance issue like packet drop which was caused by custom lua parser.

This script can gather the following statistics for each lua parser once you configured “detailed.stats=yes” under /decoder/parsers/config in Explore. (You can add more statistics by modifying the script if necessary)

Memory Usage
Meta Callback Counts
Port Callback Counts
Token Callback

Tasks

Ensure that you carefully read instructions below before you run this script.

Usage and Caution

You must run the script in Decoder machine using "nohup" command in the background and use "kill" command to stop the script.

  # nohup ./lua_parsers_mon.sh &
 

Default collection interval is 60 seconds, and you can adjust it as you want by modifying "INTERVAL" variable inside the script.
The output is stored as /root/parsers_stats.txt and you can adjust it as you want by modifying "OUTPUT_DIR" variable inside the script.

Sample Output

 # cat /root/parsers_stats.txt
 
#DATE,PARSER_NAME,Memory_Usage,Meta_Callback_Counts,Port_Callback_Counts,Token_Callback_Counts
 
20200311061659,ALERTS,0,0,0,0
 
20200311061700,CustomTCP,0,0,0,0
 
20200311061700,DHCP,0,0,3097,0
 
20200311061701,DNS,6939,0,94,0
 
20200311061702,DNS_verbose_lua,0,391746,94,0
 
20200311061702,DynDNS,0,56069,0,0
 
20200311061703,Entropy,0,0,0,0

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.x
Platform: CentOS

Approval Reviewer Queue

Technical approval queue