So I've created a flexconnector using the regex tool. I checked to make sure all the events in a sample log file are properly parsed and the properties file is saved in <connector>\current\user\agent\flexagent.
I then configured the connector to send its output to my logger and for the input, read the events from the same sample log file as above. But when I start the connector, none of the events in the sample log file are sent to the logger. As a double check, I set the connector to also output to a CEF file, but the only events written to the file are the internal ArcSight events. I've let the connector run for 10 - 15 minutes, but nothing changes.
When I start the connector at the command line, the output to the screen shows that the connector successfully started to read the sample log file from the directory. Then is says the file has been opened. Then it says first event from ArcSight|ArcSight received. Then it says Eps=0.1, Evts=6, then it has a bunch of the following: C=0, ET=Up, HT=Down, N=Barnyard, S=3, T=0.0
Does this mean it's not reading the file correctly, or that the events in the file are too old to be read? (the events are from last week) or is the modified date of the file itself (also last week?) somehow causing the problem?
Or am I WAY off?
The main question is this: How do I get the flexconnector to read the file and send events from the sample log file I have? Do I have to create another log file?