Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
bernardo.rodrig Absent Member.
Absent Member.
741 views

XML Syslog subagent

Jump to solution

Hi all, I've been searching around but there doesn't seem to be a straight answer fo this, so here it goes:

I have an XML File Flex Connector that is pretty basic, which means that it's working (awesome for me)... I want to use it as a subagent for a Syslog Connector that is receiving XML encapsulated in syslog packets. At this point I'm not absolutely sure about the format of the syslog packets...

Can I use the parser I have directly as an agent? Or do I have to make a new one using a multiline regular expessions parser?

Thanks in advance!

0 Likes
1 Solution

Accepted Solutions
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: XML Syslog subagent

Jump to solution

Hi Bernardo,

Have tried calling ur XML Parser Config as an Extraprocessor on ur Subagent

0 Likes
7 Replies
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: XML Syslog subagent

Jump to solution

Hi Bernardo,

Have tried calling ur XML Parser Config as an Extraprocessor on ur Subagent

0 Likes
bernardo.rodrig Absent Member.
Absent Member.

Re: XML Syslog subagent

Jump to solution

I haven't but I'll certainly try that out... Can I simply do it with "no strings attached", and by that I mean without having to define anything else in the subagent?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: XML Syslog subagent

Jump to solution

Well, that depends. Is the XML the entire message?

There will be a syslog header that gets parsed, and then what is handed off to the syslog connector from there?

You might have to define some simple parsing to pass off the XML to the extraprocessor.


0 Likes
bernardo.rodrig Absent Member.
Absent Member.

Re: XML Syslog subagent

Jump to solution

Hi guys, I did that but now I am getting a stupid error...

I simply did a subagent as follows:

regex=(.*)

token.count=1

token[0].name=line

token[0].type=String

event.rawEvent=line

And this is the error:

[2014-10-03 06:15:19,418][ERROR][default.com.arcsight.agent.loadable.agent._SyslogD][parseAndSend]

com.arcsight.agent.dg.o[0]: com.arcsight.agent.dg.o; Linked Exception:

[

java.lang.NullPointerException

    at com.arcsight.agent.parsers.j.b(j.java:619)

    at com.arcsight.agent.sdk.b.s.b(s.java:670)

    at com.arcsight.agent.sdk.b.s.a(s.java:608)

    at com.arcsight.agent.sdk.b.s.b(s.java:479)

    at com.arcsight.agent.dg.b.b.a(b.java:176)

    at com.arcsight.agent.dg.b.i.a(i.java:167)

    at com.arcsight.agent.dg.n.a(n.java:338)

    at com.arcsight.agent.dg.l.a(l.java:237)

    at com.arcsight.agent.dg.a.a.a(a.java:393)

    at com.arcsight.agent.dg.a.a.a(a.java:1804)

    at com.arcsight.agent.dg.a.a.f(a.java:1587)

    at com.arcsight.agent.dg.a.a.h(a.java:1435)

    at com.arcsight.agent.dg.a.a.access$300(a.java:65)

    at com.arcsight.agent.dg.a.a$6.run(a$6.java:926)

    at java.util.TimerThread.mainLoop(Timer.java:512)

    at java.util.TimerThread.run(Timer.java:462)

]

    at com.arcsight.agent.dg.b.b.a(b.java:178)

    at com.arcsight.agent.dg.b.i.a(i.java:167)

    at com.arcsight.agent.dg.n.a(n.java:338)

    at com.arcsight.agent.dg.l.a(l.java:237)

    at com.arcsight.agent.dg.a.a.a(a.java:393)

    at com.arcsight.agent.dg.a.a.a(a.java:1804)

    at com.arcsight.agent.dg.a.a.f(a.java:1587)

    at com.arcsight.agent.dg.a.a.h(a.java:1435)

    at com.arcsight.agent.dg.a.a.access$300(a.java:65)

    at com.arcsight.agent.dg.a.a$6.run(a$6.java:926)

    at java.util.TimerThread.mainLoop(Timer.java:512)

    at java.util.TimerThread.run(Timer.java:462) !

0 Likes
bernardo.rodrig Absent Member.
Absent Member.

Re: XML Syslog subagent

Jump to solution

Nevermind this problem, this was a stupid mistake of writing "rawEvent" instead of "event.rawEvent"

0 Likes
bernardo.rodrig Absent Member.
Absent Member.

Re: XML Syslog subagent

Jump to solution

Hi thanks a lot for the tip. I followed up on it and it's definitely what I'm looking for!

However, I'm having this issue where everything seems well and, however, my parser does nothing... I check the output and everything is empty except for the field "rawEvent" which contains the raw event (except the syslog header) but which doesn't get erased after parsing, as it was supposed to...

Oh and thanks , that part I already did, the issue now is I'm not being able to use the original xml parser

I've attachedmy agent.properties file and my subagent file

Can somebody help please?!?!?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: XML Syslog subagent

Jump to solution

Don't assign the token to event.rawEvent, I don't think that is assign-able in the FlexConnector.

Try another big field such as event.message


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.