Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Trusted Contributor.. ralphw Trusted Contributor..
Trusted Contributor..
244 views

With flexconnector parsers, is there a "settling time" before the parser is used for all similar rec

We use a bluecoat proxy, with a custom log format.  Our procxy parsing is implemented as a flexconnector.

As we implement a smartconnector on a new host, we have observed that the first several hundred lines of bluecoat proxy data sent from syslog relay to the smartconnector are not parsed properly.  After a short period of time (usually 5 minutes), the problem is corrected.

The sign of parser failure is that the Device Product and Device ID are set to "Unix".  This seems like an odd failure mode.

I'm interested in suggestions for improving this 'settling' time, of for configuration files to look at aside from the regular expression.  The non-deterministic behavior doesn't make sense to me ,since we've had this flexconnector in production for two years.

0 Likes
3 Replies
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: With flexconnector parsers, is there a "settling time...

The SmartConnector keeps a persistence file called "syslog.properties" where it stores which parser was last used for logs coming from a particular host.  Every 1000 lines or so it should re-evaluate the parsers which is likely what you are experiencing.

You should be able to just stop your agent, delete the syslog.properties, and restart your agent, which should make it go through all the parsers.

0 Likes
Trusted Contributor.. ralphw Trusted Contributor..
Trusted Contributor..

Re: With flexconnector parsers, is there a "settling time" before the parser is used for a

0 Likes
Highlighted
Trusted Contributor.. ralphw Trusted Contributor..
Trusted Contributor..

Re: With flexconnector parsers, is there a "settling time...

There is also a description of a "decision tree" process for identifying the parser in this thread: community.saas.hpe.com/t5/ArcSight-Questions/What-is-the-Role-of-syslog-properties-file-is-a-syslog-Connector/qaq-p/1558470

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.