Highlighted
naiktej13 Absent Member.
Absent Member.
1090 views

Event data truncated in WINC connector

Jump to solution

Hello,

I am trying to parse an windows application eventlog for WINC connector.My actual eventdata come is %1 field of json message.However when I try to tokenize %1 field, eventdata gets truncated. below is my sample parser code.

trigger.node.location=/EventData

token.count=1

token[0].location=%1

token[0].type=String

token[0].name=%1

event.message=%1

event.rawEvent=%1

event.flexString2=__stringConstant("Processed")

Is there any issue related to size?

How I can get full event from %1?

Labels (2)
0 Likes
1 Solution

Accepted Solutions
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Event data truncated in WINC connector

Jump to solution

Hello ,

I updated my connector to 7.2.2 and used deviceCustomString5 instead of flexString1. Now I am able to get my entire event in deviceCustomString5.

Parser:

event.deviceVendor=__getVendor("Microsoft")

trigger.node.location=/EventData

token.count=1

token[0].location=%1

token[0].type=String

token[0].name=%1

event.deviceCustomString5=%1

Raw Event:

{"System":{"EventId":"403","Version":"","Channel":"Windows PowerShell","ProviderName":"PowerShell","Computer":"ArcSight-Conn.pvslab.local","EventRecordID":"181","Keywords":"Classic","Level":"Information","Opcode":"","Task":"Engine Lifecycle","ProcessID":"","ThreadID":"","TimeCreated":"1464176687000","UserId":""},"EventData":{"%1":"Stopped","%2":"Available","%3":"\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=15\n\n\tHostName=ConsoleHost\n\tHostVersion=4.0\n\tHostId=d5e09679-1782-44b0-bbd8-cb85e949c875\n\tEngineVersion=4.0\n\tRunspaceId=794f9ca9-780b-4f34-86ac-802bbddca24c\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="}}

deviceCustomString5:

Stopped&&%2=Available&&%3=    NewEngineState=Stopped

    PreviousEngineState=Available

    SequenceNumber=15

    HostName=ConsoleHost

    HostVersion=4.0

    HostId=d5e09679-1782-44b0-bbd8-cb85e949c875

    EngineVersion=4.0

    RunspaceId=794f9ca9-780b-4f34-86ac-802bbddca24c

    PipelineId=

    CommandName=

    CommandType=

    ScriptName=

    CommandPath=

    CommandLine=

I suggest you try the same, perhaps it will work for you too.

All the best,

Stefan

0 Likes
8 Replies
Micro Focus Expert
Micro Focus Expert

Re: Event data truncated in WINC connector

Jump to solution

How long is the %1 field?

What does the truncation look like?

0 Likes
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Event data truncated in WINC connector

Jump to solution

Dear Tej,

This is the exact same topic which is being discussed here:

It is on the exact first page of the forum, it is not best practice to open multiple threads on the same topics which are already being discussed. Please check the last messages from the topic, they are about the exact same question you are asking.

@Aaron, I don't think this has anything to do with the size of the field; I have explained why in my last message on the topic above.

All the best,

Stefan

0 Likes
naiktej13 Absent Member.
Absent Member.

Re: Event data truncated in WINC connector

Jump to solution

Hello Stefan,

I just went through the link you provided, and seems like we haven't found any solution for this.

0 Likes
naiktej13 Absent Member.
Absent Member.

Re: Event data truncated in WINC connector

Jump to solution

Hello Aaron,

I am adding my sample raw event and the results I get.

Raw Event:

{"System":{"EventId":"36601","Version":"","Channel":"Application","ProviderName":"Centrify AuditTrail V2","Computer":"pankaj-member.centrify.vms","EventRecordID":"169001","Keywords":"Classic","Level":"Information","Opcode":"","Task":"None","ProcessID":"","ThreadID":"","TimeCreated":"1462970225000","UserId":"ABC"},"EventData":{"%1":"Product: ABC\nCategory: PQR\nEvent name: PAM access right added\nMessage: \"xyz\" (running as \"xyz\") created PAM right \"sshd\" in zone \"Zones/Test67\".\n\nMay 11 07:37:05 ### mmc[3004]: INFO AUDIT_TRAIL|Centrify Suite|Centrify Configuration|1.0|601|PAM access right added|5|user=xyz userSid=S-1-5-21-3883016548-1611565816-1967702834-1107 sessionId=2 sampleEventID=12345 pid=3004 user=xyz runas=xyz type=AD status=SUCCESS pam=sshd zone=Zones/Test67 "}}

Result I am getting:

Product: ABC

Category: PQR

Event name: PAM access right added

Message: \"xyz\" (running as \"xyz\") created PAM right \"sshd\" in zone \"Zones/Test67\".

May 11 07:37:05 ### mmc[3004]: INFO AUDIT_TRAIL|Centrify Suite|Centrify Configuration|1.0|601|PAM access right added

0 Likes
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Event data truncated in WINC connector

Jump to solution

Tej,

You copy-pasted the code in the previous topic ( ) and asked the same question again, starting a new topic; I know, because that was the code I initially proposed. Furthermore, the previous topic was still active - people have been writing in there just yesterday. A solution has not been found yet, but we were working on it.

To my mind, you should have continued that topic and not start a new one. This is basic forum common sense.

Stefan

0 Likes
naiktej13 Absent Member.
Absent Member.

Re: Event data truncated in WINC connector

Jump to solution

Hello Stefan,

Sorry for your inconvenience, I'll start following that link you provided.

Thanks for your time though.

0 Likes
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Event data truncated in WINC connector

Jump to solution

Thank you Tej for agreeing. This is just best practices .

Please feel free to get involved on the other topic, there's already a bunch of us working on this issue.

All the best,

Stefan

0 Likes
stefan.oancea Outstanding Contributor.
Outstanding Contributor.

Re: Event data truncated in WINC connector

Jump to solution

Hello ,

I updated my connector to 7.2.2 and used deviceCustomString5 instead of flexString1. Now I am able to get my entire event in deviceCustomString5.

Parser:

event.deviceVendor=__getVendor("Microsoft")

trigger.node.location=/EventData

token.count=1

token[0].location=%1

token[0].type=String

token[0].name=%1

event.deviceCustomString5=%1

Raw Event:

{"System":{"EventId":"403","Version":"","Channel":"Windows PowerShell","ProviderName":"PowerShell","Computer":"ArcSight-Conn.pvslab.local","EventRecordID":"181","Keywords":"Classic","Level":"Information","Opcode":"","Task":"Engine Lifecycle","ProcessID":"","ThreadID":"","TimeCreated":"1464176687000","UserId":""},"EventData":{"%1":"Stopped","%2":"Available","%3":"\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=15\n\n\tHostName=ConsoleHost\n\tHostVersion=4.0\n\tHostId=d5e09679-1782-44b0-bbd8-cb85e949c875\n\tEngineVersion=4.0\n\tRunspaceId=794f9ca9-780b-4f34-86ac-802bbddca24c\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="}}

deviceCustomString5:

Stopped&&%2=Available&&%3=    NewEngineState=Stopped

    PreviousEngineState=Available

    SequenceNumber=15

    HostName=ConsoleHost

    HostVersion=4.0

    HostId=d5e09679-1782-44b0-bbd8-cb85e949c875

    EngineVersion=4.0

    RunspaceId=794f9ca9-780b-4f34-86ac-802bbddca24c

    PipelineId=

    CommandName=

    CommandType=

    ScriptName=

    CommandPath=

    CommandLine=

I suggest you try the same, perhaps it will work for you too.

All the best,

Stefan

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.