RSA NetWitness Platform

Event Source Log Configuration Guide

RSA NetFlow Collector

Last Modified: Tuesday, April 6, 2021

Event Source Product Information:

Vendor: RSA, The Security Division of EMC
Event Source: NetFlow Collection Module
Versions: 10.4

RSA Product Information:

Supported On: Security Analytics 10.4 and later
Event Source Log Parser: rsaflow, cef
Collection Method: Netflow
Event Source Class.Subclass: Security.Analysis
 Configure RSA NetFlow Collection Module
To configure NetFlow collection for an event source, you must perform the following
procedures:
l Configure RSA NetWitness Platform for NetFlow Collection. Search for Configure
NetFlow Event Sources in the RSA NetWitness Platform help.

l Configure NetFlow Output on the event source. See the associated documentation for
each individual event source for help in configuring the event source to send NetFlow
data.

Configure RSA NetFlow Collection Module 2

 Event Source Log Configuration Guide

About NetFlow
NetFlow was created for the purpose of generating flow information, (source IP, source
port, destination IP, destination port). That flow information is then used for optimizing
network flow through the routers and switches. Additionally, the flow information
generated is useful for reporting and providing useful insights from a RSA NetWitness
Platform perspective.
NetFlow reports the flow information by way of flow records. These records contain the
packet/byte count of a unidirectional flows. The netflow records are assembled into export
datagrams, with up to 30 records per datagram. A NetFlow collector collects these
datagrams.
The RSA NetFlow collection module can parse both Version 5 and Version netflow export
datagrams.

NetFlow Collector Mapping

The collector file, netflow.xml, is responsible for mapping NetFlow v5 and v9 flow
record fields. The fields are mapped according to these rules:
1. If the NetFlow field has an equivalent in the Common Event Format (CEF) standard,
then the field is mapped to the CEF field.

2. If the NetFlow v5 field has an equivalent v9 field, then the v5 field is mapped to the v9
field.

3. Otherwise, the original NetFlow field remains unchanged.

NetFlow Collector Mapping File

Separate sections exist for v5 and v9 and these are further separated into Header and Data
sections.
Note the following:
l The <in> value is how the field appears in the log message before mapping is applied.

l The <out> value is the field name that is sent to the RSA Log Decoder.

l To enable a field to be included in the log message, set <inc> to true.

3 About NetFlow
 Event Source Log Configuration Guide

l To disable a field, set <inc> to false.

l The field <fmt> determines the output format of the field.

NetFlow Collector Mapping File 4

 NetFlow Mapping File Details
The following tables describe the fields available, and their mappings as they are parsed
through RSA NetWitness Platform.
Note that the Index field is listed in all of the following tables, so that you can compare
the row details across the presented tables.

NetFlow Details
This tables describes the NetFlow information.

Format
Index v9 Field v5 Field Description

0 Invalid Invalid Unrecognized key DEC

1 InBytes [none] Incoming counter for DEC

number of bytes asso-
ciated with an IP
Flow.

2 InPackets [none] Incoming counter for DEC

the number of packets
associated with an IP
Flow

3 Flows SequenceCounter Number of flows that DEC

were aggregated.
SequenceCounter in
NetFlow Version 5
and Version 8 headers
represented “total
flows.”

4 Protocol IpProtocol IP protocol DEC

NetFlow Mapping File Details 5

 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

5 SrcTos TypeOfService Type of Service set- DEC

ting when entering
incoming interface

6 TcpFlags TcpFlags Cumulative of all the DEC

TCP flags seen for this
flow

7 L4SrcPort SrcPort TCP/UDP source port DEC

number. For example,
FTP, Telnet, or equi-
valent

8 Ipv4SrcAddr SrcAddr IPv4 source address IP

9 SrcMask SrcPrefixMask Source address subnet PREFIX

mask, in slash notation

10 InputSnmp SNMPinputIF Input interface index DEC

11 L4DstPort DstPort TCP/UDP destination DEC

port number, e.g. FTP,
Telnet, or equivalent

12 Ipv4DstAddr DstAddr IPv4 destination IP

address

13 DstMask DstPrefixMask The number of con- PREFIX

tiguous bits in the
source address subnet,
in slash notation

14 OutputSnmp SNMPoutputIF Output interface index DEC

6 NetFlow Details
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

15 Ipv4NextHop NextHopAddr IPv4 address of next- IP

hop router

16 SrcAs SrcAutoSysNum Source BGP autonom- DEC

ous system number

17 DstAs DstAutoSysNum Destination BGP DEC

autonomous system
number

18 BgpIpv4NextHop [none] Next-hop router's IP in DEC

the BGP domain

19 MulDstPkts [none] IP multicast outgoing DEC

packet counter

20 MulDstBytes [none] IP multicast outgoing DEC

byte counter

21 FirstSwitched StartUpTime System uptime at DEC

which the first packet
of this flow was
switched

22 LastSwitched LastUptime System uptime at DEC

which the last packet
of this flow was
switched

23 OutBytes [none] Outgoing counter for DEC

the number of bytes
associated with an IP
Flow

NetFlow Details 7
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

24 OutPackets [none] Outgoing counter for DEC

the number of packets
associated with an IP
Flow.

25 MinPacketLen [none] Minimum IP packet DEC

length on incoming
packets of the flow

26 MaxPacketLen [none] Maximum IP packet DEC

length on incoming
packets of the flow

27 Ipv6SrcAddr [none] IPv6 Source Address IP

28 Ipv6DstAddr [none] IPv6 Destination IP

Address

29 Ipv6SrcMask [none] IPv6 source mask DEC

30 Ipv6DstMask [none] IPv6 destination mask DEC

31 Ipv6FlowLabel [none] IPv6 flow label as per HEX

RFC 2460 definition

32 IcmpType [none] Internet Control Mes- DEC

sage Protocol (ICMP)
packet type; reported
as ((ICMP Type*256)
+ ICMP code)

33 MulIgmpType [none] Internet Group Man- DEC

agement Protocol
(IGMP) packet type

8 NetFlow Details
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

34 SamplingInterval Sampling When using sampled DEC

NetFlow, the rate at
which packets are
sampled i.e.: a value
of 100 indicates that
one of every 100 pack-
ets is sampled

35 SamplingAlgorithm [none] The type of algorithm DEC

used for sampled:
l NetFlow: 0x01

l Deterministic
Sampling:0x02

l Random Sampling: 0x03

36 FlowActiveTimeout [none] Timeout value (in DEC

seconds) for active
flow entries in the
NetFlow cache

37 FlowInactiveTimeout [none] Timeout value (in DEC

seconds) for inactive
flow entries in the
NetFlow cache

38 EngineType EngineType Type of flow switch- DEC

ing engine: RP = 0,
VIP/Linecard = 1

39 EngineId EngineId ID number of the flow DEC

switching engine

40 TotalBytesExp [none] Counter for the num- DEC

NetFlow Details 9
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

ber of bytes exported

by the Observation
Domain

41 TotalPacketsExp [none] Counter for bytes for DEC

the number of packets
exported by the Obser-
vation Domain

42 TotalFlowsExp [none] Counter for the num- DEC

ber of flows exported
by the Observation
Domain

43 VendorSpecific1 [none] Vendor defined field DEC

44 Ipv4SrcPrefix [none] IPv4 source address IP

prefix (specific for
Catalyst architecture)

45 Ipv4DstPrefix [none] "IPv4 destination

address prefix (spe-
cific for Catalyst archi-
tecture)"

46 MplsTopLabelType [none] MPLS Top Label Type DEC

47 MplsTopLabelIpAddr [none] Forwarding Equivalent DEC

Class corresponding to
the MPLS Top Label

48 FlowSamplerId [none] Identifier shown in DEC

“show flow-sampler”

10 NetFlow Details
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

49 FlowSamplerMode [none] The type of algorithm DEC

used for sampling
data. Use in con-
nection with Samp-
lingAlgorithm

50 FlowSamplerRandIntv [none] Packet interval at DEC

which to sample. Use
in connection with
FlowSamplerMode

51 VendorSpecific2 [none] Vendor defined field STR

52 MinTtl [none] Minimum TTL on DEC

incoming packets of
the flow

53 MaxTtl [none] Maximum TTL on DEC

incoming packets of
the flow

54 Ipv4Ident [none] The IP v4 iden- DEC

tification field

55 DstTos [none] Type of Service byte DEC

setting when exiting
outgoing interface

56 InSrcMac [none] Incoming source MAC MAC

address

57 OutDstMac [none] Outgoing destination MAC

MAC address

NetFlow Details 11
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

58 SrcVlan [none] Virtual LAN identifier DEC

associated with
ingress interface

59 DstVlan [none] Virtual LAN identifier DEC

associated with egress
interface

60 IpProtoVersion [none] Internet Protocol Ver- DEC

sion Set to 4 for IPv4,
set to 6 for IPv6. If not
present in the tem-
plate, then version 4 is
assumed.

61 Direction [none] Flow direction: 0 - DEC

ingress flow, 1 -
egress flow

62 Ipv6NextHop [none] IPv6 address of the IP

next-hop router

63 BgpIpv6NextHop [none] Next-hop router in the IP

BGP domain

64 Ipv6OptionHeaders [none] Identifies IPv6 option HEX

headers found in the
flow

65 VendorSpecific3 [none] Vendor defined field DEC

66 VendorSpecific4 [none] Vendor defined field DEC

67 VendorSpecific5 [none] Vendor defined field DEC

12 NetFlow Details
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

68 VendorSpecific6 [none] Vendor defined field DEC

69 VendorSpecific7 [none] Vendor defined field DEC

70 MplsLabel1 [none] MPLS label at position DEC

1 in the stack.

71 MplsLabel2 [none] MPLS label at position DEC

2 in the stack.

72 MplsLabel3 [none] MPLS label at position DEC

3 in the stack.

73 MplsLabel4 [none] MPLS label at position DEC

4 in the stack.

74 MplsLabel5 [none] MPLS label at position DEC

5 in the stack.

75 MplsLabel6 [none] MPLS label at position DEC

6 in the stack.

76 MplsLabel7 [none] MPLS label at position DEC

7 in the stack.

77 MplsLabel8 [none] MPLS label at position DEC

8 in the stack.

78 MplsLabel9 [none] MPLS label at position DEC

9 in the stack.

79 MplsLabel10 [none] MPLS label at position DEC

10 in the stack.

80 InDstMac [none] Incoming destination MAC

MAC address

NetFlow Details 13
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

81 OutSrcMac [none] Outgoing source MAC MAC

address

82 IfName [none] Shortened interface STR

name i.e.: “FE1/0”

83 IfDesc [none] Full interface name STR

i.e.: “'FastEthernet
1/0”

84 SamplerName [none] Name of the flow STR

sampler

85 InPermBytes [none] Running byte counter DEC

for a permanent flow

86 InPermPackets [none] Running packet DEC

counter for a per-
manent flow

87 VendorSpecific8 [none] Vendor defined field DEC

[none] [none] UnixNSeconds Residual nanoseconds DEC

since 0000 UTC 1970

[none] [none] OctetsInFlow Total number of Layer DEC

3 bytes in the packets
of the flow

[none] [none] PacketsInFlow Packets in the flow DEC

14 NetFlow Details
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

header SequenceCounter [none] Incremental sequence DEC

counter of all export
packets sent by this
export device; this
value is cumulative,
and it can be used to
identify whether any
export packets have
been missed. Note:
This is a change from
the NetFlow Version 5
and Version 8 headers,
where this number rep-
resented “total flows.”

header sourceId [none] The Source ID field is DEC

used to guarantee
uniqueness for all
flows exported from a
particular device. (The
Source ID field is the
equivalent of the
engine type and engine
ID fields found in the
NetFlow Version 5
and Version 8 head-
ers). The format of
this field is vendor spe-
cific.

NetFlow Details 15
 Event Source Log Configuration Guide

Format
Index v9 Field v5 Field Description

header SystemUpTime SystemUpTime Time in milliseconds DEC

since this device was
first booted

header templateId [none] As a router generates DEC

different template
FlowSets to match the
type of NetFlow data
it will be exporting,
each template is given
a unique ID. This
uniqueness is local to
the router that gen-
erated the template
ID. Templates that
define data record
formats begin num-
bering at 256 since 0-
255 are reserved for
FlowSet IDs.

header UnixSeconds UnixSeconds Seconds since 0000 DEC

Coordinated Universal
Time (UTC) 1970

header Version Version The version of DEC

NetFlow records expor-
ted in this packet; for
Version 9, this value is
0x0009

16 NetFlow Details
 Event Source Log Configuration Guide

CEF Details
This tables lists the CEF information.

Key
Index Key Full Name Description
Format

0 [none] [none] [none] [none]

1 in bytesIn Integer Number of bytes

transferred
inbound. Inbound
relative to the
source to des-
tination rela-
tionship, meaning
that data was
flowing from
source to des-
tination.

2 [none] [none] [none] [none]

3 cnt baseEventCount Integer A count asso-

ciated with this
event.

4 proto transport Protocol string Identifies the

Layer-4 protocol
used. The pos-
sible values are
protocol names
such as TCP or
UDP.

CEF Details 17
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

5 [none] [none] [none] [none]

6 [none] [none] [none] [none]

7 spt sourcePort integer The valid port

numbers are 0 to
65535.

8 src SourceAddress IPv4Address Identifies the

source that an
event refers to in
an IP network.
The format is an
IPv4 address.
Example:
“192.168.10.1”

9 [none] [none] [none] [none]

10 [none] [none] [none] [none]

11 dpt destinationPort integer The valid port

numbers are
between 0 and
65535.

12 dst destinationAddress IPv4Address Identifies des-

tination that the
event refers to in
an IP network.
The format is an
IPv4 address.

18 CEF Details
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

Example:
“192.168.10.1”

13 [none] [none] [none] [none]

14 [none] [none] [none] [none]

15 [none] [none] [none] [none]

16 [none] [none] [none] [none]

17 [none] [none] [none] [none]

18 [none] [none] [none] [none]

19 [none] [none] [none] [none]

20 [none] [none] [none] [none]

21 [none] startTime Timestamp The time when

the activity the
event referred to
started. The
format is MMM
dd yyyy HH:m-
m:ss or mil-
liseconds since
epoch (Jan 1st
1970).

22 [none] endTime Timestamp The time at

which the activ-
ity related to the
event ended. The

CEF Details 19
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

format is MMM
dd yyyy HH:m-
m:ss or mil-
liseconds since
epoch (Jan 1st
1970). An
example would
be reporting the
end of a session.

23 out bytesOut integer Number of bytes

transferred out-
bound. Outbound
relative to the
source to des-
tination rela-
tionship, meaning
that data was
flowing from des-
tination to
source.

24 [none] [none] [none] [none]

25 [none] [none] [none] [none]

26 [none] [none] [none] [none]

27 [none] [none] [none] [none]

28 [none] [none] [none] [none]

29 [none] [none] [none] [none]

20 CEF Details
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

30 [none] [none] [none] [none]

31 [none] [none] [none] [none]

32 [none] [none] [none] [none]

33 [none] [none] [none] [none]

34 [none] [none] [none] [none]

35 [none] [none] [none] [none]

36 [none] [none] [none] [none]

37 [none] [none] [none] [none]

38 [none] [none] [none] [none]

39 [none] [none] [none] [none]

40 [none] [none] [none] [none]

41 [none] [none] [none] [none]

42 [none] [none] [none] [none]

43 cs1 deviceCustomString1 string There are six

strings available
which can be
used to map
fields which do
not fit into any
other field of this
dictionary.

44 [none] [none] [none] [none]

CEF Details 21
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

45 [none] [none] [none] [none]

46 [none] [none] [none] [none]

47 [none] [none] [none] [none]

48 [none] [none] [none] [none]

49 [none] [none] [none] [none]

50 [none] [none] [none] [none]

51 cs2 deviceCustomString2 string There are six

strings available
which can be
used to map
fields which do
not fit into any
other field of this
dictionary.

52 [none] [none] [none] [none]

53 [none] [none] [none] [none]

54 [none] [none] [none] [none]

55 [none] [none] [none] [none]

56 smac sourceMacAddress MAC Six colon-sep-

address arated hexa-
decimal
numbers.

22 CEF Details
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

57 dmac destinationMac Address MAC Six colon-sep-

address arated hexa-
decimal
numbers.

58 [none] [none] [none] [none]

59 [none] [none] [none] [none]

60 [none] [none] [none] [none]

61 deviceDirection deviceDirection String Any information

about what dir-
ection the com-
munication that
was observed
has taken.

62 [none] [none] [none] [none]

63 [none] [none] [none] [none]

64 [none] [none] [none] [none]

65 cs3 deviceCustomString3 String There are six

strings available
which can be
used to map
fields which do
not fit into any
other field of this
dictionary.

CEF Details 23
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

66 cs4 deviceCustomString4 String There are six

strings available
which can be
used to map
fields which do
not fit into any
other field of this
dictionary.

67 cs5 deviceCustomString5 String There are six

strings available
which can be
used to map
fields which do
not fit into any
other field of this
dictionary.

68 cs6 deviceCustomString6 String There are six

strings available
which can be
used to map
fields which do
not fit into any
other field of this
dictionary.

69 [none] [none] [none] [none]

70 [none] [none] [none] [none]

24 CEF Details
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

71 [none] [none] [none] [none]

72 [none] [none] [none] [none]

73 [none] [none] [none] [none]

74 [none] [none] [none] [none]

75 [none] [none] [none] [none]

76 [none] [none] [none] [none]

77 [none] [none] [none] [none]

78 [none] [none] [none] [none]

79 [none] [none] [none] [none]

80 dmac destinationMac Address MAC Six colon-sep-

address arated hexa-
decimal
numbers.

81 smac sourceMacAddress MAC Six colon-sep-

address arated hexa-
decimal
numbers.

82 [none] deviceInboundInterface / String Interface on

deviceOutboundInterface which the packet
or data entered /
left the device.

83 [none] [none] [none] [none]

CEF Details 25
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

84 [none] [none] [none] [none]

85 [none] [none] [none] [none]

86 [none] [none] [none] [none]

87 [none] [none] [none] [none]

[none] [none] [none] [none] [none]

[none] [none] [none] [none] [none]

[none] [none] [none] [none] [none]

header [none] [none] [none] [none]

header externalId externalId Integer An ID used by

the originating
device. Usually
these are increas-
ing numbers asso-
ciated with
events

header [none] [none] [none] [none]

header [none] [none] [none] [none]

26 CEF Details
 Event Source Log Configuration Guide

Key
Index Key Full Name Description
Format

header rt receiptTime Timestamp The time at

which the event
related to the
activity was
received. The
format is MMM
dd yyyy HH:m-
m:ss or mil-
liseconds since
epoch (Jan 1st
1970).

header [none] [none] [none] [none]

RSA Details
This table describes the RSA parsing information.

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

0 Invalid cn_invalid [none] [none] [none]

1 in rbytes [none] rbytes Bytes

received

2 InPackets cn_rpackets [none] [none] n/a

RSA Details 27
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

3 cnt event_counter [none] event.- Number of

times the
counter
event has
repeated,
OR
The Total
number of
events
aggregated.

4 proto ip_proto ip.proto protocol IP protocol

name

5 SrcTos cn_src_tos [none] tos The priority

given to a
network
protocol

6 TcpFlags tcp_flags tcp.flags [none] (TCP only)

bit-packed
denoting
which flags
were seen
in the ses-
sion, regard-
less of
client or
server and

28 RSA Details
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

regardless
of how
many times
that flag
was seen.

7 spt sport tcp.srcport ip.srcport Source port

/ udp.s-
rcport

8 src saddr ip.src ip.src Source

IPv4
address

9 SrcMask smask [none] smask Source

device net-
work mask

10 InputSnmp dinterface [none] sinterface Network

Source
interface

11 dpt dport tcp.dstport / ip.dstport Destination

udp.dstport port

12 dst daddr ip.dst ip.dst Destination

address

RSA Details 29
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

13 DstMask dmask [none] dmask Destination

Device net-
work mask

14 OutputSnmp sinterface [none] sinterface Network

Source
interface

15 Ipv4NextHop cs_ip_next_hop [none] [none] [none]

16 SrcAs cn_asn_src asn.src [none] Source

BGP
autonomous
system num-
ber

17 DstAs cn_asn_dst asn.dst [none] Destination

BGP
autonomous
system num-
ber

18 BgpIpv4NextHop cn_bgp_ipv4_ [none] [none] [none]

next_hop

19 MulDstPkts cn_mul_dst_pks [none] [none] [none]

20 MulDstBytes cn_mul_dst_ [none] [none] [none]

30 RSA Details
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

bytes

21 FirstSwitched cn_first_ [none] [none] Start time

switched of the
event. If
you are
using this
you MUST
also be
using
event_
time.

22 LastSwitched cn_last_switched [none] [none] [none]

23 out sbytes [none] bytes Bytes sent

24 OutPackets cn_spackets [none] packets n/a

25 MinPacketLen cn_min_packet_ [none] [none] [none]

len

26 MaxPacketLen cn_max_packet_ [none] [none] [none]

len

27 src saddr ipv6.src ipv6.src Source

IPv6
Address

RSA Details 31
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

28 dst daddr ipv6.dst ipv6.dst Destination

IPv6
Address

29 Ipv6SrcMask smask [none] smask Source

device net-
work mask

30 Ipv6DstMask dmask [none] dmask Destination

device net-
work mask

31 Ipv6FlowLabel cn_ipv6_flow_ [none] [none] [none]

label

32 IcmpType icmptype [none] icmp.type / The "type"

icmp.code value for an
ICMP
packet. /
The "code"
value for an
ICMP
packet.

33 MulIgmpType cn_mul_igmp_ [none] [none] [none]

type

34 SamplingInterval cn_sampling_ [none] [none] [none]

32 RSA Details
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

interval

35 Samp- cn_sampling_ [none] [none] [none]

lingAlgorithm algorithm

36 FlowAct- cn_flow_active_ [none] [none] [none]

iveTimeout timeout

37 FlowIn- cn_flow_inact- [none] [none] [none]

activeTimeout ive_timeout

38 EngineType cn_engine_type [none] [none] [none]

39 EngineId cn_engine_id [none] [none] [none]

40 TotalBytesExp cn_total_bytes_ [none] [none] [none]

exp

41 TotalPacketsExp cn_total_pack- [none] [none] [none]

ets_exp

42 TotalFlowsExp cn_total_flows_ [none] [none] [none]

exp

43 cs1 fld [none] [none] [none]

44 Ipv4SrcPrefix cs_ipv4_src_pre- [none] [none] [none]

fix

RSA Details 33
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

45 Ipv4DstPrefix cs_ipv4_dst_pre- [none] [none] [none]

fix

46 MplsTopLa- cn_mpls_top_ [none] [none] [none]

belType label_type

47 MplsTopLa- cn_mpls_top_ [none] [none] [none]

belIpAddr label_ipaddr

48 FlowSamplerId cn_flow_ [none] [none] [none]

sampler_id

49 FlowSampler- cn_flow_ [none] [none] [none]

Mode sampler_mode

50 FlowSampler- cn_flow_ [none] [none] [none]

RandIntv sampler_rand_
intv

51 cs2 fld [none] [none] [none]

52 MinTtl cn_min_ttl [none] [none] [none]

53 MaxTtl cn_max_ttl [none] [none] [none]

54 Ipv4Ident cn_ipv4_ident [none] [none] [none]

34 RSA Details
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

55 DstTos cn_dst_tos [none] tos The priority

given to a
network
protocol

56 smac smacaddr eth.src eth.src Source

MAC
address

57 dmac dmacaddr eth.dst eth.dst Destination

MAC
address

58 SrcVlan cn_src_vlan [none] vlan.name VLAN

number

59 DstVlan cn_dst_vlan [none] vlan.name VLAN

number

60 IpProtoVersion cn_ip_proto_ver- [none] [none] [none]

sion

RSA Details 35
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

61 deviceDirection direction [none] direction Direction

of the net-
work flow
(for the sys-
tems that
capture
this)

62 Ipv6NextHop cs_ipv6_next_ [none] [none] [none]

hop

63 BgpIpv6NextHop cs_bgp_ipv6_ [none] [none] [none]

next_hop

64 Ipv6Op- cn_ipv6_option_ [none] [none] [none]

tionHeaders headers

65 cs3 fld [none] [none] [none]

66 cs4 fld [none] [none] [none]

67 cs5 fld [none] [none] [none]

68 cs6 fld [none] [none] [none]

69 cs7 fld [none] [none] [none]

70 MplsLabel1 cn_mpls_label_1 [none] [none] [none]

36 RSA Details
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

71 MplsLabel2 cn_mpls_label_2 [none] [none] [none]

72 MplsLabel3 cn_mpls_label_3 [none] [none] [none]

73 MplsLabel4 cn_mpls_label_4 [none] [none] [none]

74 MplsLabel5 cn_mpls_label_5 [none] [none] [none]

75 MplsLabel6 cn_mpls_label_6 [none] [none] [none]

76 MplsLabel7 cn_mpls_label_7 [none] [none] [none]

77 MplsLabel8 cn_mpls_label_8 [none] [none] [none]

78 MplsLabel9 cn_mpls_label_9 [none] [none] [none]

79 MplsLabel10 cn_mpls_label_ [none] [none] [none]

10

80 dmac dmacaddr eth.dst eth.dst Destination

MAC
address

81 smac smacaddr eth.src eth.src Source

MAC
address

82 IfName cs_if_name [none] [none] [none]

83 IfDesc cs_if_desc [none] [none] [none]

RSA Details 37
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

84 SamplerName cs_sampler_ [none] [none] [none]

name

85 InPermBytes cn_in_perm_ [none] [none] [none]

bytes

86 InPermPackets cn_in_perm_pack- [none] [none] [none]

ets

87 cs8 fld [none] [none] [none]

[non- UnixNSeconds cn_unix_nano_ [none] [none] [none]

e] seconds

[non- OctetsInFlow bytes size bytes Total bytes

e]

[non- PacketsInFlow packets packets packets Total pack-

e] ets

head- SequenceCounter cn_sequence_ [none] [none] [none]

er counter

head- externalId hardware_id [none] hard- A unique

er ware.id identifier
for a device
or system
(NOT a
Mac

38 RSA Details
 Event Source Log Configuration Guide

NetWit-
NetWit-
Flow Col- ness
Flow Parser ness
Ind- lector Map- Platform Descrip-
Mapping (rsa- Platform
ex ping Log Map- tion
flowmsg.xml) Network
(netflow.xml) ping
Meta Key
Meta Key

address)

head- SystemUpTime cn_system_ [none] [none] [none]

er uptime_ms

head- TemplateId cn_template_id [none] [none] [none]

er

head- rt event_time [none] event.time Date/Time

er of the
occurrence
of the event
as recorded
by the sys-
tem which
generated
it.

head- Version version [none] version Version of

er the applic-
ation or OS
which is
generating
the event.

RSA Details 39
 Event Source Log Configuration Guide

Table Map Details

This table contains details for the Table-Map.xml file.

NetWitness
Index enVision Name Platform Failure Key
Name

0 [none] n/a n/a

1 rbytes rbytes n/a

2 [none] n/a n/a

3 event_counter event.counter n/a

4 ip_proto ip.proto protocol

5 tos tos n/a

6 tcp_flags tcp.flags n/a

7 sport ip.srcport n/a

8 saddr ip.src ipv6.src

9 smask smask n/a

10 sinterface sinterface n/a

11 dport ip.dstport n/a

12 daddr ip.dst ipv6.dst

13 dmask dmask n/a

14 sinterface sinterface n/a

15 [none] n/a n/a

40 Table Map Details

 Event Source Log Configuration Guide

NetWitness
Index enVision Name Platform Failure Key
Name

16 [none] n/a n/a

17 [none] n/a n/a

18 [none] n/a n/a

19 [none] n/a n/a

20 [none] n/a n/a

21 [none] n/a n/a

22 [none] n/a n/a

23 sbytes bytes.src n/a

24 [none] n/a n/a

25 [none] n/a n/a

26 [none] n/a n/a

27 saddr_v6 ipv6.src n/a

28 daddr_v6 ipv6.dst n/a

29 smask smask n/a

30 dmask dmask n/a

31 [none] n/a n/a

32 icmptype icmp.type n/a

33 [none] n/a n/a

34 [none] n/a n/a

Table Map Details 41

 Event Source Log Configuration Guide

NetWitness
Index enVision Name Platform Failure Key
Name

35 [none] n/a n/a

36 [none] n/a n/a

37 [none] n/a n/a

38 [none] n/a n/a

39 [none] n/a n/a

40 [none] n/a n/a

41 [none] n/a n/a

42 [none] n/a n/a

43 [none] n/a n/a

44 [none] n/a n/a

45 [none] n/a n/a

46 [none] n/a n/a

47 [none] n/a n/a

48 [none] n/a n/a

49 [none] n/a n/a

50 [none] n/a n/a

51 [none] n/a n/a

52 [none] n/a n/a

53 [none] n/a n/a

42 Table Map Details

 Event Source Log Configuration Guide

NetWitness
Index enVision Name Platform Failure Key
Name

54 [none] n/a n/a

55 tos tos n/a

56 smacaddr eth.src n/a

57 dmacaddr eth.dst n/a

58 [none] n/a n/a

59 [none] n/a n/a

60 [none] n/a n/a

61 direction direction n/a

62 [none] n/a n/a

63 [none] n/a n/a

64 [none] n/a n/a

65 [none] n/a n/a

66 [none] n/a n/a

67 [none] n/a n/a

68 [none] n/a n/a

69 [none] n/a n/a

70 [none] n/a n/a

71 [none] n/a n/a

72 [none] n/a n/a

Table Map Details 43

 Event Source Log Configuration Guide

NetWitness
Index enVision Name Platform Failure Key
Name

73 [none] n/a n/a

74 [none] n/a n/a

75 [none] n/a n/a

76 [none] n/a n/a

77 [none] n/a n/a

78 [none] n/a n/a

79 [none] n/a n/a

80 dmacaddr eth.dst n/a

81 smacaddr eth.src n/a

82 [none] n/a n/a

83 [none] n/a n/a

84 [none] n/a n/a

85 [none] n/a n/a

86 [none] n/a n/a

87 [none] n/a n/a

[none] [none] n/a n/a

[none] bytes bytes n/a

[none] packets packets n/a

header [none] n/a n/a

44 Table Map Details

 Event Source Log Configuration Guide

NetWitness
Index enVision Name Platform Failure Key
Name

header hardware_id hardware.id n/a

header [none] n/a n/a

header [none] n/a n/a

header event_time event.time n/a

header version version n/a

© 2021 RSA Security LLC or its affiliates. All Rights Reserved.

November 2020

Trademarks
RSA Conference Logo, RSA, and other trademarks, are trademarks of RSA Security LLC or its
affiliates ("RSA"). For a list of RSA trademarks, go to https://www.rsa.com/en-
us/company/rsa-trademarks. Other trademarks are trademarks of their respective owners.

Table Map Details 45