Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
reswob4 Honored Contributor.
Honored Contributor.
614 views

_SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

So I've created another flexagent via the regex tool and I've told it to treat as a syslog subagent (under Options).

The full line for each log looks like:

Aug 17 00:00:00 <hostname> DATA DATA DATA DATA

As you know, with this setting when creating the regex, the tool ignores the

Aug 17 00:00:00 <hostname>

part of the log line and requests that you create regex for the DATA DATA DATA DATA part of each log.

I have valid regex settings for the remainder of the entry but I wanted to collect the <hostname> and timestamp from the syslog header.  According to the FlexConn_DevGuide, it said I should use the _SYSLOG_SENDER and _SYSLOG_TIMESTAMP variables.  So in the properties file I have:

event.deviceHostName=_SYSLOG_SENDER

event.deviceReceiptTime=_SYSLOG_TIMESTAMP

but when scrolling through the test events, no values are shown.  I also tried

event.deviceReceiptTime=__useCurrentYear(_SYSLOG_TIMESTAMP)

Then it seemed that there were only single _ in each variable, so I changed everything to double __ but that didn't seem to fix the problem.

Suggestions?

Thanks.

0 Likes
1 Solution

Accepted Solutions
Highlighted
reswob4 Honored Contributor.
Honored Contributor.

Re: _SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

OK, here is the final solution:

First, I had to save the file as a subagent "syslog-newparser.subagent.sdkrfilereader.properties"

Then I had to place that file in the correct directory <arcsight>/user/agent/flexagent/syslog/

Then I restarted the connector and voila! parser works like a boss. (isn't that what all the kids are saying these days?)

Thanks to everyone for helping me and giving tips and for and his flexconnector expertise.

Oh, and the _SYSLOG_SENDER and _SYSLOG_TIMESTAMP  variables worked just fine once they were in the connector. 

0 Likes
6 Replies
reswob4 Honored Contributor.
Honored Contributor.

Re: _SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

Some clarification:

I originally created this flexconnector to work with just a text file.  However, that text file was generated from syslog entries.  So now I need to modify that flexconnector to work with a syslog daemon receiving connector.  I'm trying to test my modifications...

Thanks.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: _SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

The _SYSLOG_SENDER you are trying should work.

What does the agent.log show as WARNING or FATAL or ERROR?


0 Likes
reswob4 Honored Contributor.
Honored Contributor.

Re: _SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

Hmm

for double underscore __SYSLOG__SENDER and __SYSLOG__TIMESTAMP I get fatal errors "Could not load operation" and "Could not parse operation"

for single underscore _SYSLOG_SENDER and __useCurrentYear(_SYSLOG_TIMESTAMP) I get fatal error (for timestamp only) "unable to create timestamp with local value as [null]"

for single underscore _SYSLOG_SENDER and_SYSLOG_TIMESTAMP, I get WARN No ID and no connectors configured.

I don't get any values when I use any of the above.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: _SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

Use a single underscore - these are values, not operations. Operations would use double underscore.

For _SYSLOG_SENDER, from the FlexConnector Developers Guide: Host name or IP address of the sender received in the header of the syslog message

I can envision where you are trying to map to a hostname (String) and the value is an IP Address. Try mapping

event.deviceAddress=_SYSLOG_SENDER

For _SYSLOG_TIMESTAMP, the guide says this is a time stamp received in the header of the message. Try mapping

event.deviceReceiptTime=_SYSLOG_TIMESTAMP

0 Likes
reswob4 Honored Contributor.
Honored Contributor.

Re: _SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

Aaron, I was looking at the exact entries, and each entry has the hostname not the IP.

So I was originally trying to map the following (and indeed my current config matches the following as well)

event.deviceHostName=_SYSLOG_SENDER

event.deviceReceiptTime=_SYSLOG_TIMESTAMP

and that's when I'm getting the WARN message "No ID and no connectors configured."

0 Likes
Highlighted
reswob4 Honored Contributor.
Honored Contributor.

Re: _SYSLOG_SENDER and _SYSLOG_TIMESTAMP not working?

Jump to solution

OK, here is the final solution:

First, I had to save the file as a subagent "syslog-newparser.subagent.sdkrfilereader.properties"

Then I had to place that file in the correct directory <arcsight>/user/agent/flexagent/syslog/

Then I restarted the connector and voila! parser works like a boss. (isn't that what all the kids are saying these days?)

Thanks to everyone for helping me and giving tips and for and his flexconnector expertise.

Oh, and the _SYSLOG_SENDER and _SYSLOG_TIMESTAMP  variables worked just fine once they were in the connector. 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.