Highlighted
Trusted Contributor.
Trusted Contributor.
624 views

RegEx FlexConnector Not Parsing. I think I have everything right?

Below I have posted a small set of sample logs, the code for my flexagent parser, and the entry I have in the agents.properties file for a custom syslog parser.  Is there anything that stands out as to why the data is not being parsed?  If I look in the agents.log file, I see the following error:  

Agent.log Error

[WARN ][default.com.arcsight.agent.parsers.operation.regexTokenOperation][getResult] No match between string [at org.ldaptive.jaas.LdapLoginModule.login] and regex [(\S+) \S+ (?:login|sshd|httpd)]

Sample Logs:

Jan 22 10:00:00 site1.net.com 	at org.ldaptive.jaas.LdapLoginModule.login(LdapLoginModule.java:160)
Jan 22 10:00:00 site3.net.com 	at org.ldaptive.jaas.AbstractLoginModule.login(AbstractLoginModule.java:188)
Jan 22 10:00:00 site4.net.com 	at sun.reflect.GeneratedMethodAccessor397.invoke(Unknown Source)
Jan 22 10:00:00 site4.net.com 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
Jan 22 10:00:00 site2.net.com 	at java.lang.reflect.Method.invoke(Unknown Source)
Jan 22 10:00:00 site2.net.com 	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
Jan 22 10:00:00 site1.net.com 	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
Jan 22 10:00:00 site1.net.com 	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
Jan 22 10:00:00 site1.net.com 	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
Jan 22 10:00:00 site1.net.com 	at java.security.AccessController.doPrivileged(Native Method)
Jan 22 10:00:00 site1.net.com 	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
Jan 22 10:00:00 site1.net.com 	at javax.security.auth.login.LoginContext.login(Unknown Source)

FlexAgent Parser: customdataparser.sdkrfilereader.properties

# FlexAgent Regex Configuration File
do.unparsed.events=true

regex=(\\S+\\s+\\d+ \\d\\d\:\\d\\d\:\\d\\d) (site1.net.com..at|site2.net.com.at|site3.net.com..at|site4.net.com..at) (.*)

token.count=3

token[0].name=Uuid
token[0].type=String

token[1].name=Message
token[1].type=String

token[2].name=Code
token[2].type=String


event.deviceVendor=__stringConstant("Custom")
event.deviceProduct=__stringConstant("Custom Data")

agents.properties Entry:

#ArcSight Properties File
#Format Preserving Encryption Enabled Flag should NOT be manually edited! 
#Tue Feb 05 10:46:06 EST 2019
agents.maxAgents=1
agents[0].AgentSequenceNumber=0
agents[0].aggregationcachesize=1000
agents[0].customsubagentlist=customdataparser_syslog|
Labels (1)
0 Likes
2 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

Hi Biancom.  Thank you for the reply.  I ended up finding some information in this post that fixed my issue:

https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Syslog-FlexConnector-Process/td-p/1552305#

I forgot to check, under Options, "Treat as Syslog Subparser."

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.