This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
irfan_ansari017
Commodore Commodore
Commodore
‎2016-06-26 10:54
1230 views

WLC Parser error

Jump to solution

Dears,

I have created parser for WLC, only to map events which contains "Rogue".

In arcsight regex tool my parser is executing fine.

While putting it in the real-time i am getting below error,

INFO   | jvm 1    | 2016/06/26 12:49:05 | FATAL EXCEPTION:

INFO   | jvm 1    | 2016/06/26 12:49:05 | com.arcsight.agent.parsers.operation.WrongArgumentsException: All timestamp formats are wrong, please check your input[ANB-HO-WLC-CA3: *webauthRedirect: Jun 26 12:49:03.828]!

Kindly let me know where i am going wrong.

Attaching parser and sample logs for reference.

Regards,

Irfan

Labels (2)
WLC.zip
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
irfan_ansari017
Commodore Commodore
Commodore
‎2016-06-27 08:26

Jump to solution

Dears,

The solution to above problem which worked for me is,

WLC logs by default picking up CISCO NX-OS parser.

I deleted this from agent.properties "customsubagentlis" as no NX-OS reporting through this connector. Then deleted syslog.properties file.

Set "usecustomsubagentlist=true" and restart smartconnector.

After this message from Cisco WLC start parse correctly.

Kind regards

Irfan

View solution in original post

0 Likes
Reply
Report Inappropriate Content
5 Replies
irfan_ansari017
Commodore Commodore
Commodore
‎2016-06-27 08:26

Jump to solution

Dears,

The solution to above problem which worked for me is,

WLC logs by default picking up CISCO NX-OS parser.

I deleted this from agent.properties "customsubagentlis" as no NX-OS reporting through this connector. Then deleted syslog.properties file.

Set "usecustomsubagentlist=true" and restart smartconnector.

After this message from Cisco WLC start parse correctly.

Kind regards

Irfan

View solution in original post

0 Likes
Reply
Report Inappropriate Content
mwhit720
Lieutenant Lieutenant
Lieutenant
‎2016-06-29 17:37

Jump to solution

What version of Cisco WLC are you using ?

Which connector.. SNMP unifiied or syslog ??

0 Likes
Reply
Report Inappropriate Content
irfan_ansari017
Commodore Commodore
Commodore
‎2016-06-30 08:37

Jump to solution

Dear,

WLC ver 8.0.

Syslog.

Regards,

Irfan

0 Likes
Reply
Report Inappropriate Content
checky04
Captain
Captain
‎2016-07-12 22:49

Jump to solution

Irfan,  is the solution applicable to WLC 8.2? I have parsing issue even I upgraded our connector to the latest one.  It seems the column "Name" and "Device Process Name" are not parsing correctly.  Thanks! Richel

0 Likes
Reply
Report Inappropriate Content
irfan_ansari017
Commodore Commodore
Commodore
‎2016-07-13 07:37

Jump to solution

Dear Richel,

I have made the parser for verion 8.0 and worked for me, i am not sure about 8.2.

Below was the raw log format.

<182>HO-WLC-CA3: *Dot1x_NW_MsgTask_4: Jun 30 10:59:50.527: %APF-6-USER_NAME_CREATED: [PA]apf_ms.c:7869 Username entry (123456) with length (253) created for mobile 70:81:eb:27:6f:9c

Parsed in ArcSight as,

      

End TimeNameMessageDevice Event Class IDDevice Custom String2Device Custom String3Device Custom String5Device SeverityDevice AddressDevice Host NameDevice ProductDevice Vendor
May 29 2016 00:00:01Unparsed Event[PA]sisf_shim_utils.c:482 Entry deleted A=fe80::42cb:a8ff:fe2f:83fd V=2054 I=wireless:0 P=0000 M=SISF:ENTRY_DELETEDSISFENTRY_DELETEDSISF-6-ENTRY_DELETED612.23.32.21 NX-OSCISCO

Thanks,

Irfan

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.