• State Not Answered
  • Replies replies
    4
  • Subscribers subscribers
    0
  • Views views
    797
  • Users 0 members are here
Related
Options

custom.js in 8.2

alekz
 
Hello,

Recently after upgrading to 8.2 and the NetIQ Universal Collector to
2011.r6 I'm having some trouble with my custom.js code that's been
working for the last 4 years.

I'm capturing events from Linux boxes using the Syslog connector
2018.1r2 both using TCP and UDP.

In the debugger I set a breakpoint at the if in my function:

Record.prototype["parse-kernel"] = function(message, e) {
if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
//do some stuff here
}

The trouble is that the e.ReporterIP doesn't exist any more.

I'm not sure how to proceed.
If I look at the "e" object on the "Locals" tab in the debugger there
are not many properties set except a bunch of functions and stuff like
ObserverType, ObserverCategory etc.

It looks like the event isn't preprocessed before being sent to custom.js


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
  • 0  
    On 2018-11-18 22:37, alekz wrote:
    > In the debugger I set a breakpoint at the if in my function:
    >
    > Record.prototype["parse-kernel"] = function(message, e) {
    >     if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
    >     //do some stuff here
    >      }
    >
    > The trouble is that the e.ReporterIP doesn't exist any more.


    The *connector* should put the information into this.s_SyslogRelayIp

    This field contains the IP address of the device (or client computer)
    that this message came from. Note that it may or may not be the same as
    the host name found in the message header.

    --
    Norbert

    Norbert

  • 0   in reply to klasen
    On 2018-11-19 11:27, Norbert Klasen wrote:
    > On 2018-11-18 22:37, alekz wrote:
    >> In the debugger I set a breakpoint at the if in my function:
    >>
    >> Record.prototype["parse-kernel"] = function(message, e) {
    >>      if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
    >>      //do some stuff here
    >>       }
    >>
    >> The trouble is that the e.ReporterIP doesn't exist any more.
    >
    >
    > The *connector* should put the information into this.s_SyslogRelayIp
    >
    > This field contains the IP address of the device (or client computer)
    > that this message came from. Note that it may or may not be the same as
    > the host name found in the message header.
    >
    Hi Norbert,

    I can confirm that I can see this.s_SyslogRelayIp.
    But when is it mapped to e.ReporterIP? Is that done by the Collector or
    Connector?

    Thanks.

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.
  • 0   in reply to alekz
    On 2018-11-19 12:53, alekz wrote:
    > I can confirm that I can see this.s_SyslogRelayIp.
    > But when is it mapped to e.ReporterIP? Is that done by the Collector or
    > Connector?

    The connector only provides the Record (this) object. The collector's
    job is to create and populate an Event (e) object.


    --
    Norbert

    Norbert

  • 0   in reply to alekz
    alekz;2491098 wrote:
    On 2018-11-19 11:27, Norbert Klasen wrote:
    > On 2018-11-18 22:37, alekz wrote:
    >> In the debugger I set a breakpoint at the if in my function:
    >>
    >> Record.prototype["parse-kernel"] = function(message, e) {
    >> **** if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
    >> *****//do some stuff here
    >> ***** }
    >>
    >> The trouble is that the e.ReporterIP doesn't exist any more.
    >
    >
    > The *connector* should put the information into this.s_SyslogRelayIp
    >
    > This field contains the IP address of the device (or client computer)
    > that this message came from. Note that it may or may not be the same as
    > the host name found in the message header.
    >
    Hi Norbert,

    I can confirm that I can see this.s_SyslogRelayIp.
    But when is it mapped to e.ReporterIP? Is that done by the Collector or
    Connector?

    Thanks.

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.


    A lot of collectors have boilerplate code in preParse() that sets these values directly on e. I personally prefer this practice, but as a general rule you cannot blindly count on e being populated until the event is actually being sent. So (unfortunately) for each collector you have to know whether e is being updated directly by the collector, of whether it relies entirely on rec2evt.map, and make your customization choices accordingly.

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.