MaryCordova Frequent Contributor.
Frequent Contributor.
759 views

Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Hi All,

I used the regex helper tool and wrote a syslog subagent.  Everything in my log file is parsing in the regex helper tool.  When I stick the file in ../current/user/agent/flexagent/syslog the connector picks up the parser but none of my regex matches and everything gets sent to the default subagent as an "Unparsed Event".

Any ideas???

(BTW...be nice, this is my first time.)

And, FYI, this is mostly an exercise in flex connector insanity, I am aware that there are other InfoBlox properties files already here on Protect.  I'm really looking to learn how to do this myself for any given situation not specifically for an InfoBlox configuration.  Originally we thought we wanted to custom parse InfoBlox but then we decided that InfoBlox is just regular BIND and to treat it as such which eliminates the need for custom parsing.  Additionally...I have a printed, highlighted, dog-eared copy of the developers guide...please don't tell me to read it...unless of course there is a specific section that it is clear I haven't read or I wouldn't be asking this question

Labels (3)
0 Likes
1 Solution

Accepted Solutions
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Wonder if its something around the newline (\n) character at the end of your logs.

Maybe modify the parser so that after your last matching group you just use .* rather than \\\\n and see if it makes any difference.

0 Likes
11 Replies
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

sanitized screenshot...sanitized logs also uploaded...

regex.PNG

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Hi Mary,

I found two things wich helped me:

YouTube channel of the below guy - very nice!

Shane Lilley - YouTube

and a nice Online regex tester and debugger: JavaScript, Python, PHP, and PCRE

Hope this helps for your self study.

A.

0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Have you modified the customsubagentlist in agent.properties?

Which parser is matching in %AGENT%/current/user/agent/syslog.properties?

Have you deleted the syslog.properties in %AGENT%/current/user/agent so that it will attempt to match against all parsers again?

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Sorry, I should have pre-empted those questions by providing the agent.prop and noting that I had infact verified that my parser was being picked up in the syslog.prop file ... so yes, yes, and yes

The problem is that my file is getting picked up, but only the last default submessage is matching when deployed to the connector even though in the helper tool all submessages are matching correctly.  For some reason reality (connector) and fantasy (regex tool) don't interpret the same file in the same way. 

0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Wonder if its something around the newline (\n) character at the end of your logs.

Maybe modify the parser so that after your last matching group you just use .* rather than \\\\n and see if it makes any difference.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Ill test that ... my other suspicion was in regard to the UI for the tool necessitating a single escape character for regex matches but the file generated actually has two "\" so maybe when I copy the file to the connector I need to either remove one \ or add a third...

So, 2 things for me to test...I wont have time to do this until Friday but I'll be sure to post the results!

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Mary, i have not seen many syslog device sending a "\n" at the end of a message. so i would remove all the "\\\\n".

cheers

A:

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

THANK YOU TO and who both gave me the right answer (alas I could only mark one of them as correct). 

No idea why Im getting new line characters in logs but replacing the regex with .* has resolved the issue.

Woooooooooo!  (take that FlexConnector <insert smack down emoticon here>)

0 Likes
Highlighted
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

Also...a suggestion I received was: RegexBuddy: Learn, Create, Understand, Test, Use and Save Regular Expression "dont forget to set the regex engine to Java 7 in the "Other engines" section"

0 Likes
Trusted Contributor.. chiraggajjar1 Trusted Contributor..
Trusted Contributor..

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

hey i am not getting regex tool in below path.

i was installed syslog demon connector. and i want to create regex(arcSight regex) but tools is not there in below path

cd /opt/ArcSightSmartConnector/Syslog/current/bin/

please help where actually it is placed in connector ..

0 Likes
seniorj@bennett Absent Member.
Absent Member.

Re: Syslog FlexConnector Subagent works with Regex Helper but not on Connector

Jump to solution

You want to run "/opt/ArcSightSmartConnector/Syslog/current/bin/arcsight regex"

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.