pratikp Absent Member.
Absent Member.
514 views

TimeBased DB Flex Connector Error

Jump to solution

Dear All,

I am installing Time Based DB Flexconnector. During connection to database, I am getting below error

I am using DBA admin user credentials for connection to database. Agent version is 7.0.2.7019.0.

Below is the properties file , I am using

 

  • version.order=1
  • version.query= SELECT VERSION from V$Instance

   

 

query = \

 

        Select session_id,login_log_time,term_id,user_id,user_work_class,sol_id,rmks,login_log_type,login_status,device_id \

 

        FROM from lgt \

 

       

 

 

  1. timestamp.field=login_log_time
  2. uniqueid.fields=session_id

   

 

  1. additionaldata.enabled=true

 

 

  1. token.count=10

 

 

token[0].name=session_id

 

token[0].type=String

 

 

token[1].name=login_log_time

 

token[1].type=TimeStamp

 

token[1].format=dd-MM-yyyy HH:mm:ss

 

 

token[2].name=term_id

 

token[2].type=String

 

 

token[3].name=user_id

 

token[3].type=String

 

 

token[4].name=user_work_class

 

token[4].type=String

 

 

token[5].name=sol_id

 

token[5].type=String

 

 

token[6].name=rmks

 

token[6].type=String

 

 

token[7].name=login_log_type

 

token[7].type=String

 

 

token[8].name=login_status

 

token[8].type=String

 

 

token[9].name=device_id

 

token[9].type=IPAddress

 

 

 

 

# ArcSight Field Mapping

 

 

  1. event.deviceVendor=__getVendor("Oracle")
  2. event.deviceProduct=__stringConstant("Finacle_Core_Flex")
  3. event.deviceVersion=__stringConstant("11.2.0.4")

     

 

  1. event.endTime=login_log_time
  2. event.sourceUserID=user_id
  3. event.sessionID=session_id
  4. event.sourceUserPrivileges=user_work_class
  5. event.sourceZoneName=sol_id
  6. event.flexString1=rmks
  7. event.flexString1Label=__stringConstant("REMARKS”)
  8. event.message=login_status
  9. event.type=login_log_type
  10. event.sourceAddress=device_id

                   

 

 

  1. event.deviceHostName=_DB_HOST
  2. event.destinationServiceName=_DB_NAME
  3. event.destinationPort=_DB_PORT

      Does anyone faced issue like this ?

Requesting your valuable inputs in resolving the issue.

Thanks & Regards,

Pratik

Labels (2)
0 Likes
1 Solution

Accepted Solutions
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Michael,

Thanks for assistance.

All issues have been sorted out. I declared SESSION_ID as string and mapped it to deviceEventClassId. Same for User ID.

Thank you all.

Regards,

Pratik

0 Likes
19 Replies
mhutchison Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Can you provide a screen shot of the parameters?
Database JDBC Driver

Database URL

They should look like this

Database JDBC Drive: com.microsoft.sqlserver.jdbc.SQLServerDriver

Database URL : jdbc:sqlserver://FQDNOFSERVER:1433

0 Likes
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Martin,

Thank you for quick response.

Please find the snapshot as below

Regards,

Pratik

0 Likes
mhutchison Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Are you able to execute that query on the database?

Also Time Based Connectors do require a WHERE statement.

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: TimeBased DB Flex Connector Error

Jump to solution

Hi Pratik,

You have to add version.id and modify version.query or you remove completely version.query.

version.id=1

version.query=SELECT session_id from V$Instance

Thanks

Regards

Michael

0 Likes
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Michael,

I have performed suggested changes by adding version.id =1 only .

Still no success

Regards,

Pratik

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: TimeBased DB Flex Connector Error

Jump to solution

Hi Patrik,

Sorry I make a mistake just version.order=1

No version.id and no version.query

Is-it working now?

Thanks

Regards

Michael

0 Likes
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Michael,

Still same error

Thanks & Regards,

Pratik

0 Likes
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Martin/Michael,

Fortunately, I am not receiving the database  version error and I am to pull logs in arcsight.

I am facing issues with parsing. No events are getting parsed.

Please assist in the same.

Below is my configuration file

 

  • version.order=1
  • version.id=11g

      query = \          SELECT SESSION_ID,LOGIN_LOG_TIME,TERM_ID,USER_ID, USER_WORK_CLASS,SOL_ID,RMKS,LOGIN_LOG_TYPE,LOGIN_STATUS,DEVICE_ID \          FROM lgt \          WHERE LOGIN_LOG_TIME >= ? \          ORDER BY LOGIN_LOG_TIME   

  1. timestamp.field=LOGIN_LOG_TIME
  2. uniqueid.fields=XREFID

     

  1. additionaldata.enabled=true

   

  1. token.count=10

    token[0].name=SESSION_ID  token[0].type=String    token[1].name=LOGIN_LOG_TIME  token[1].type=TimeStamp  token[1].format=dd-MM-yyyy HH:mm:ss    token[2].name=TERM_ID  token[2].type=String    token[3].name=USER_ID  token[3].type=String    token[4].name=USER_WORK_CLASS  token[4].type=String    token[5].name=SOL_ID  token[5].type=String    token[6].name=RMKS   token[6].type=String    token[7].name=LOGIN_LOG_TYPE  token[7].type=String    token[8].name=LOGIN_STATUS   token[8].type=String    token[9].name=DEVICE_ID  token[9].type=IPAddress        # ArcSight Field Mapping   

  1. event.deviceVendor=__getVendor("Oracle")
  2. event.deviceProduct=__stringConstant("Finacle_Core_Flex")
  3. event.deviceVersion=__stringConstant("11.2.0.4")

       

  1. event.endTime=LOGIN_LOG_TIME
  2. event.sourceUserID=USER_ID
  3. event.sessionID=SESSION_ID
  4. event.sourceUserPrivileges=USER_WORK_CLASS
  5. event.sourceZoneName=SOL_ID
  6. event.flexString1=RMKS
  7. event.flexString1Label=__stringConstant("REMARKS”)
  8. event.message=LOGIN_STATUS
  9. event.type=LOGIN_LOG_TYPE
  10. event.sourceAddress=DEVICE_ID

                     

  1. event.deviceHostName=_DB_HOST
  2. event.destinationServiceName=_DB_NAME
  3. event.destinationPort=_DB_PORT

     

  Regards,

Pratik

0 Likes
mhutchison Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

(Only brainstorming, I do not know exactly what is wrong)

I noticed in your query, you put (event) before the ArcSight fields. What I use is (events) when referencing ArcSight fields.

0 Likes
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Dear Martin,

Are you referring to all mapping fields which starts with event.* ?

If yes, then, that is standard way of mapping arcsight fields. Correct me if my understanding is correct.

Regards,

Pratik

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: TimeBased DB Flex Connector Error

Jump to solution

Hi Patrik,

Great news for the error solved.

Normally, in DB Flex you do not need to use Token.

You should assign directly column header into arcsight fields.

In the agent.properties there is a config folder variable. Did-you saved the flex file into that folder name?

In the raw arcsight field what do you see?

Thanks

Regards

Michael

0 Likes
mhutchison Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Yes, I that is what I am referencing.

I was mixing up logger queries and the flex connectors. Ignore

0 Likes
pratikp Absent Member.
Absent Member.

Re: TimeBased DB Flex Connector Error

Jump to solution

Hi Michael,

Yes I saved flex file in config folder. I am just getting confused about folder name and flex file name.

I have used folder name as lgt and file name as lgt.sdktbdatabase.properties.

Is this right ?

I am getting all columns extracted with value assigned to individual field.

Regards,

Pratik

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: TimeBased DB Flex Connector Error

Jump to solution

Hi Patrik,

I have to check to be sure but the folder name should match what it is in agent.properties as vendor or product_name then for the file, it seems to be correct database.sdktbdatabase.properties I will contact you later if it is wrong.

However, I have found 2 other mistakes in your flex parser, if you have not already made the correction.

event.sourceUserId (with lower d)

and sessionID is NOT a field you can use in your flex.

Could you please make a test with this line last commented or in changing the arcsight field used.

Could you please tell me if it works now?

Thanks

Regards

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.