The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers. The RSA NetWitness Log Decoder supports over 300+ unique log event sources. Each log event source has a respective log parser for parsing the content of each log. The Meta Dictionary tool describes the metadata used in each of the parsersd.
This blog post is intended to help a user understand how to use the tool so they can see the various metadata used in a parser, description of each of the metadata keys and the number of times each metadata keys appear in a parser.
Deployments
You need to download the following attachments from the blog post:
Supported Browsers
Viewing Meta Data Definitions
Once you open metadictionary.html file in a browser you will see something similar to the screenshot below.
The screen contains the following sections:
This tool offers the flexibility to search for meta keys, data type, etc. as shown in the image below.
In the above screen, we have searched for ipv4, and three occurrences were found; note that the search is case insensitive.
Screen Reference
Screen |
Item |
Description |
Parser Name/Version |
Left Navigation Pane, and Details Panedisplays Parser Name and Version |
|
Search |
A free text search box that you can use to filter results |
|
Show/Hide Columns |
Drop down menu from each Column Header allows you to display or hide column |
|
Column Reference
The following table describes each of the available columns that contain the meta data for the parsers.
Column Name |
Description |
|||
Investigation Display Name |
The value displayed in Investigation Page of RSA NetWitness UI for each Meta |
|||
Parser Metakey(occurrences) |
Meta key as used in the Parser and its count in parenthesis. For example, for the |
|||
aix parser, the saddr meta key occurs 151 times in the parser definition |
||||
SA Metakey |
Corresponding Meta Name for the meta key in parser definition. Meta Name is used |
|||
in RSA NetWitness Suite |
||||
Metakey Description |
The description for the key. |
|||
TableMapDatatype |
The data type of a meta key, as listed in the default table map.xml. |
|||
TableMap Indexed |
Whether or not the key is indexed in the table map. |
|||
The following examples show the table map details for indexed |
||||
and non-indexed meta: |
||||
Indexed: |
||||
|
||||
envisionName="device.ip"nwName="device.ip" |
||||
format="IPv4" |
flags="None"/> |
|||
Not Indexed: |
||||
envisionName="device.ip"nwName="device.ip" |
||||
format="IPv4" |
flags="Transient"/> |
|||
Index-Concentrator |
Whether or not the key is available in the default index-concentrator.xml. |
|||
We hope you find this tool useful and welcome any feedback or suggestions for improvement. Please feel free to leave any constructive feedback in the comments below!