Vice Admiral
Vice Admiral
611 views

Question about testing a flexconnector

Jump to solution

So I've created a flexconnector using the regex tool.  I checked to make sure all the events in a sample log file are properly parsed and the properties file is saved in <connector>\current\user\agent\flexagent.

I then configured the connector to send its output to my logger and for the input, read the events from the same sample log file as above.  But when I start the connector, none of the events in the sample log file are sent to the logger.  As a double check, I set the connector to also output to a CEF file, but the only events written to the file are the internal ArcSight events.  I've let the connector run for 10 - 15 minutes, but nothing changes.

When I start the connector at the command line, the output to the screen shows that the connector successfully started to read the sample log file from the directory.  Then is says the file has been opened.  Then it says first event from ArcSight|ArcSight received.  Then it says Eps=0.1, Evts=6, then it has a bunch of the following:  C=0, ET=Up, HT=Down, N=Barnyard, S=3, T=0.0

Does this mean it's not reading the file correctly, or that the events in the file are too old to be read?  (the events are from last week) or is the modified date of the file itself (also last week?) somehow causing the problem?

Or am I WAY off?

The main question is this: How do I get the flexconnector to read the file and send events from the sample log file I have?  Do I have to create another log file?

Thanks

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Have a look in a directory above, in a file called agent.properties,

so

..\current\user\agent\agent.properties

And find the entry

agents[0].startatend=true

and change it to

agents[0].startatend=false

and then restart the connector.


View solution in original post

0 Likes
4 Replies
Fleet Admiral
Fleet Admiral

Hi Craig,

Have u tested ur Parser First ?

Is it able to parse using ur Regex Property ? Check for the Parser Processing Logs from agent.log.

What is the Config set in Agent.properties file to read from ur Log file ? like Processing Mode, Persist mode or not, What type of Flex Reader u r using and Things like that are there bro... 

0 Likes
Micro Focus Expert
Micro Focus Expert

Have a look in a directory above, in a file called agent.properties,

so

..\current\user\agent\agent.properties

And find the entry

agents[0].startatend=true

and change it to

agents[0].startatend=false

and then restart the connector.


View solution in original post

0 Likes
Vice Admiral
Vice Admiral

Sweet!

Thanks!

And I've confirmed the regex is correct and the parser works!

next problem will be posted in a new post if I can't find the answer in protect somewhere....

0 Likes
Absent Member.
Absent Member.

Hi,

I had this issue before. I was getting only Arcsight related events. There was no relevant information from my log file.

First i set, agents[0].startatend=false.

Since mine was standalone application, i run from command window as "Run as Administrator".

It works. Hope this may help.

Thanks

Jayakrishnan

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.