Markl Trusted Contributor.
Trusted Contributor.
1511 views

Parsing problem

Jump to solution

Hi all,

I´m having problems with a syslog connector.

The source is Arbor Pravail APS 5.5. I´ve read the SmartConnector config guides and this device isn´t in the list (Only Arbor PeakFlow Syslog is in the list)

I´ve configured a new syslog connector, then I start to send syslog events from Arbor Pravail APS to the connector and when I see in an active channel or in the Logger, the events from that source appears like "Arbor Peakflow X".

After that, I get an example of logs and I´ve tried to create a parser in the flex connector wizard tool (Connector Appliance) with Vendor = Arbor and Product=Pravail APS. I apply the flex in the connector, restart it and when the connector start to receive events agains, there is no change (deviceVendor=Arbor, deviceProduct=Peakflow X).

I don´t know why it continues with the same vendor and product and the parsing is not  apply (The events are parsing with the Arbor PeakFlow X parser)

Anyone can help me with the steps that I have to follow?

Thanks in advance

Kind Regards,

Marcos

Be Water My Friend
Labels (1)
0 Likes
1 Solution

Accepted Solutions
tammy.torbert@h1 Honored Contributor.
Honored Contributor.

Re: Parsing problem

Jump to solution

Two things to try.

1. In agent.properties, there is a line that starts agents[0].customsubagentlist.  This is a list of the syslog subparsers and the order that they are processed.  The first match is used.  Find "peakflowx_syslog" and move this after flexagent_syslog.  (If you don't use peakflowx at all, you can remove it from the list.)

2. After changing your agent.properties, also delete syslog.properties.  This is a list of processors used per device.  This file gets automatically generated.

After making these changes, restart your connector.  If your parser matches the messages, you should see these events tagged as your vendor/product.  If you removed peakflowx, and the vendor/product shows up as unix/unix, then you've hit the default parser and your parser doesn't match the messages as expected. 

0 Likes
14 Replies
tammy.torbert@h1 Honored Contributor.
Honored Contributor.

Re: Parsing problem

Jump to solution

Two things to try.

1. In agent.properties, there is a line that starts agents[0].customsubagentlist.  This is a list of the syslog subparsers and the order that they are processed.  The first match is used.  Find "peakflowx_syslog" and move this after flexagent_syslog.  (If you don't use peakflowx at all, you can remove it from the list.)

2. After changing your agent.properties, also delete syslog.properties.  This is a list of processors used per device.  This file gets automatically generated.

After making these changes, restart your connector.  If your parser matches the messages, you should see these events tagged as your vendor/product.  If you removed peakflowx, and the vendor/product shows up as unix/unix, then you've hit the default parser and your parser doesn't match the messages as expected. 

0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: Parsing problem

Jump to solution

Does the "PeakFlow X" parser parse the events properly other than you don't like the Vendor/Product?

If so, a parser override or even a simple map file could change Vendor/Product to your liking.

0 Likes
Markl Trusted Contributor.
Trusted Contributor.

Re: Parsing problem

Jump to solution

Hi torber,

I´ve followed the steps:

- Remove peakflowx_syslog from the list of subparsers

- I put the first subparser in the list: "arbor_pravail" (my flex)

- I´ve delete the content of syslog.properties (I can´t delete the file in the ConnApp)

I´ve restarted the connector, but it continues with peakflow X

Kind Regads,

Marcos

Be Water My Friend
0 Likes
Markl Trusted Contributor.
Trusted Contributor.

Re: Parsing problem

Jump to solution

Hi Shaun,

The PeakFlow X parser doesn´t parse right the events for Arbor Pravail APS. This parser is not valid for this device

Kind Regards,

Marcos

Be Water My Friend
0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: Parsing problem

Jump to solution

Use "flexagent_syslog" as your customsubagentlist.  It will scan the flexagent directory for any parsers.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Parsing problem

Jump to solution

You are missing one important setting in your agent.properties if you want to use customsubagentlist.

agents[0].usecustomsubagentlist=true



P.S. dont forget to mark good answer as Correct or Usefull.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Markl Trusted Contributor.
Trusted Contributor.

Re: Parsing problem

Jump to solution

Ok, I will to try it.

Kind Regards,

Marcos

Be Water My Friend
0 Likes
Markl Trusted Contributor.
Trusted Contributor.

Re: Parsing problem

Jump to solution

Ah, ok. Thnaks

Kind Regards,

Marcos

Be Water My Friend
0 Likes
Markl Trusted Contributor.
Trusted Contributor.

Re: Parsing problem

Jump to solution

Now the events are "unix" "unix".

I´m going to review my parser.

Thanks for your answers.

Kind Regards,

Marcos

Be Water My Friend
0 Likes
sem-eng Valued Contributor.
Valued Contributor.

Re: Parsing problem

Jump to solution

Hello Marcos,

I have to develop a FlexConn for Arbor Pravail APS v6.5.

Could I reuse yours ? Could you send me your parser ?

Thanks in advance,

Best regards,

Nicolas GOUPIL

+33.2.23.28.37.18

0 Likes
Highlighted
Markl Trusted Contributor.
Trusted Contributor.

Re: Parsing problem

Jump to solution

Hi Sem,

First, sorry for delay in answer you. Finally, I couldn´t get the right parser, I only get "Arbor Peakflow X" or "Unix Unix".

For work load I couldn´t continue with the parser. I want to continue with it in the next months.

If you get something, and if you like to share it, I would appreciate.

Kind Regards,

Marcos

Be Water My Friend
0 Likes
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Parsing problem

Jump to solution

Although not really directly linked to your issue at hand, Shane Lilley produced a great video that walks through the full process of creating a FlexConnector and what goes where - Creating Flex Connectors to use within the Syslog Smart Connector Framework for HP ArcSight - YouTube

It might be running through the video and watching for the points to consider and the Regex utility and what to do. From the sounds of the matching "unix / unix" messages, something isn't parsing correctly, so it might be worth re-checking that and making sure its working.

0 Likes
New Member.. marcosl
New Member..

Re: Parsing problem

Jump to solution

Hi Paul,

Sorry for delay in answer, but I couldn't continue with flex for Arbor and I forgot to answer you. Very usefull the video.

Kind Regards,

Marcos

0 Likes
aquillius.t@net Super Contributor.
Super Contributor.

Re: Parsing problem

Jump to solution

Hi,

I'm having the same issue right now. Can you share on how did you resolve the parsing error?

Thanks,

Aqui

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.