Message: Parsing failed: Error: Error in DateTime class

Hi Community,

trying to configure CEF between eDirectory and NetIQ Sentinel,

I get following error event in my Sentinel (8.4.1) being generated by eDirectory events

Message: Parsing failed: Error: Error in DateTime class: Invalid format: "1659965281691"; original message: Aug 08 15:28:01 eDirectory : INFOCEF:0|NetIQ|eDirectory|9.2.5|CEF0B0341|CHANGE_SECURITY_EQUA

I have tried to change "log4j.appender.S.layout.ConversionPattern" parameters, without any luck

What's wrong ?

Thanks,

Pascal

Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • How did you get the "INFOCEF"? The settings in auditlogconfig.properties should be:

    # Layout definition for appender Syslog S.
    log4j.appender.S.layout=org.apache.log4j.PatternLayout
    log4j.appender.S.layout.ConversionPattern=%c: %m%n
    

    Then the message received by Sentinel looks like:

    <14>eDirectory: CEF:0|NetIQ|eDirectory|9.2.6.0000|CEF0B035E|CONNECTION|4|dvc=172.30.1.24 dvchost=engine.xfdemo.com rt=1659972926106 dtz=UTC sourceServiceName=CN\=engine,OU\=servers,O\=system sproc=eDirectory#DS src=172.30.1.1 spt=19124 duser=CN\=engine,OU\=servers,O\=system cn1Label=Connection ID cn1=940033952 cn2Label=Created(1)/Terminated(0) cn2=1 cs1Label=Client Address cs1=172.30.1.1:19124 cs2Label=Module cs2=LDAP Server cs3Label=Tree Name cs3=IDM48_TREE cs4Label=Correlation ID cs4=eDirectory#4294967295# flexString2Label=SubEvent flexString2=DSE_CONNECTION flexNumber2Label=Grouping flexNumber2=16745 cat=Security reason=0 outcome=Success msg=LDAP Server connection (ConnID: 940033952) from 172.30.1.1:19124 was 1 (1 - created / 0 - terminated) to server CN\=engine,OU\=servers,O\=system : Success

    Also install the latest CEF collector: https://marketplace.microfocus.com/cyberres/content/universal-common-event-format ?

    Norbert

  • Thank you Norbert,

    weird, this is what I have based on : grep appender.S auditlogconfig.properties|grep -v ^#|sort

    log4j.appender.S.CacheDir=/var/opt/novell/eDirectory/log
    log4j.appender.S.CacheEnabled=yes
    log4j.appender.S.CacheMaxFileSize=500MB
    log4j.appender.S.Facility=USER
    log4j.appender.S.Host=sentinel01.gibolin.tz
    log4j.appender.S.Port=1468
    log4j.appender.S.Protocol=TCP
    log4j.appender.S.Threshold=INFO
    log4j.appender.S.layout.ConversionPattern=%c: %m%n
    log4j.appender.S.layout=org.apache.log4j.PatternLayout
    log4j.appender.S=org.apache.log4j.net.SyslogAppender

    I updated the collector to the last one : Universal Common Event Format 2011.1r6 Beta

    Just wondering on modules list in ndsmodules.conf, is this correct ?

    #auditds                auto            #eDirectory Instrumentation
    #xdasauditds            auto            #xdasauditds
    cefauditds              auto            #CEFAuditDS

    and getting

    Pascal

    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • Verified Answer

    BTW, I've now applied following patch :

    oes2018-SP3-2022-16
    oes2018-SP3-2022-18
    SUSE-SLE-SERVER-12-SP5-2022-2382

    with following option : deinstallation of edirectory-oes-xdas-instrument-9.1.4-7.3.x86_64

    and works better now, keeping just following module in ndsmodules.conf :

    cefauditds             

    Previous behavior remains weird while "xdasauditds" was not selected.

    Regards,

    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]