The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers. The RSA NetWitness Log Decoder supports over 300+ unique log event sources. Each log event source has a respective log parser for parsing the content of each log. The Meta Dictionary tool describes the metadata used in each of the parsersd.
This blog post is intended to help a user understand how to use the tool so they can see the various metadata used in a parser, description of each of the metadata keys and the number of times each metadata keys appear in a parser.
You need to download the following attachments from the blog post:
- data.meta file
- metadictionary.html file
- Google Chrome version 44 or later
- Firefox version 36 or later
- Internet Explorer 10 or later
- Safari version 7 or later
Viewing Meta Data Definitions
Once you open metadictionary.html file in a browser you will see something similar to the screenshot below.
The screen contains the following sections:
- Left Navigation pane: contains a list of all the parsers.
- Details pane: contains the meta details for the selected parser.
This tool offers the flexibility to search for meta keys, data type, etc. as shown in the image below.
In the above screen, we have searched for ipv4, and three occurrences were found; note that the search is case insensitive.
Left Navigation Pane, and Details Panedisplays Parser Name and Version
A free text search box that you can use to filter results
Drop down menu from each Column Header allows you to display or hide column
The following table describes each of the available columns that contain the meta data for the parsers.
Investigation Display Name
The value displayed in Investigation Page of RSA NetWitness UI for each Meta
Meta key as used in the Parser and its count in parenthesis. For example, for the
aix parser, the saddr meta key occurs 151 times in the parser definition
Corresponding Meta Name for the meta key in parser definition. Meta Name is used
in RSA NetWitness Suite
The description for the key.
The data type of a meta key, as listed in the default table map.xml.
Whether or not the key is indexed in the table map.
The following examples show the table map details for indexed
and non-indexed meta:
Not Indexed: <mapping
Whether or not the key is available in the default index-concentrator.xml.
We hope you find this tool useful and welcome any feedback or suggestions for improvement. Please feel free to leave any constructive feedback in the comments below!