fikretbaydilli1 Trusted Contributor.
Trusted Contributor.
2715 views

flex connector properties file not picked up and syslog.properties problem

Hi,

I installed an syslog agent. Since I want to parse a vendor's logs I want to use flex connector. My steps are;

1- With using arcsight's regex tool i created the properties file.agent properties.PNG

   I tested regex with regex tool, test was successfull. For  all the logs it was yellow.

2-  I placed this properties file in to the .\user\agent\flexagent\syslog (sfilename.subagent.sdkrfilereader.properties)

3-  In agent.properties file I added its name like agents[0].customsubagentlist=filename_syslog|.....

4- Again in agent.properties file changed the value to ture (agents[0].usecustomsubagentlist=true)

5- Deleted the syslog.properties file

6- Started service and didnt worked

To test the properties file;

1- I intalled and regex flex connector and upload log file. I saw that with this regex i can parse the log succesfully

2- After starting the service deleted syslog.properties file regenereting as you know. In this file, i cant see the my file's name. I see generic_syslog

3- In agent.log; first it says that icant find the file then it says i parsed the file.

Line 2978: [2015-09-15 10:49:51,389][INFO ][default.com.arcsight.agent.fc.f][getInputStream] Resource [syslog\samplefilename.subagent.sdkrfilereader.properties] not found
Line 2979: [2015-09-15 10:49:51,389][INFO ][default.com.arcsight.agent.fc.f][getInputStream] Resource [syslog\samplefilename.subagent.sdkrfilereader.properties] not found (AUP file ignored)
Line 2980: [2015-09-15 10:49:51,389][INFO ][default.com.arcsight.common.config.AgentPropertiesFileConfiguration][customInitialization] customInitialization() - read properties from file [D:\ISM_UDP_SyslogWithFlex\current\user\agent\flexagent\syslog\samplefilename.subagent.sdkrfilereader.properties].
Line 2981: [2015-09-15 10:49:51,405][INFO ][default.com.arcsight.agent.sdk.d.u][init] Successfully Parsed properties from file [syslog\samplefilename.subagent]

4- In protect724.hp.com i searched a lot  tried lots of things. (changing file name, changin location, changin some line in agent.properties, rebooting etc.) However couldnt solve.

5- Again in protect724.hp.com i saw a discussion about this problem an it says there is a cache mechanism in flex connectors. After read this i reinstall the connector and do settings from begining this also didint worked

I'm missing something but what

0 Likes
20 Replies
matt.mac Regular Contributor.
Regular Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

try:

agents[0].customsubagentlist=flexagent_syslog



0 Likes
fikretbaydilli1 Trusted Contributor.
Trusted Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

didnt worked

0 Likes
matt.mac Regular Contributor.
Regular Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

did you delete syslog.properites before restarting the connector?

0 Likes
fikretbaydilli1 Trusted Contributor.
Trusted Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

Yes i did.

0 Likes
matt.mac Regular Contributor.
Regular Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

ok does it say something like hostname\:flexagent_syslog in there?

0 Likes
aritra Absent Member.
Absent Member.

Re: flex connector properties file not picked up and syslog.properties problem

Did you check the option "Treat as Syslog subagent" option in Regex utility tool after compiling the configuration file?

0 Likes
fikretbaydilli1 Trusted Contributor.
Trusted Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

I did that too. However, when i checked that i didnt see any change in the script. is it possible?

0 Likes
sangeethsuseela Absent Member.
Absent Member.

Re: flex connector properties file not picked up and syslog.properties problem

I could see that the the Parser file name is sfilename.subagent.sdkrfilereader.properties

So change the agents[0].customsubagentlist=sfilename_syslog|

Also check the syslog.properties file which Parser file is associated with the Host Sending the logs.

(It should be like this Hostname or IPAddress of the Device/: sfilename_syslog|generic_syslog)

0 Likes
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: flex connector properties file not picked up and syslog.properties problem

Name your parser "something_syslog.subagent.sdkrfilereader.properies".

Place said parser in current/user/agent/flexagent/syslog

You don't need to make any modifications to agent.properties.  The "flexagent_syslog" parser will be the one which picks up the syslog flexagent parsers.

Delete syslog.properties so the connector won't default to a previous parser.

When you restart the agent, check agent.log looking for a reference to where it read and successfully parsed your "something_syslog.subagent.sdkrfilereader.properties" file.

0 Likes
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

Your parser should be named as per syslog subagent notation such as "vendor_syslog.subagent.sdkrfilereader.properties".

In your case I don't even see that you have defined deviceVendor and deviceProduct in your FlexConnector. There should be at least 2 lines such as:

event.deviceVendor=__stringConstant("IBM WebSphere")

event.deviceProduct=__stringConstant("DataPower")

In this example your parser would be named datapower_syslog.subagent.sdkrfilereader.properties and should be placed where  indicated.

Regards,

Michel Beaudry

0 Likes
sem-eng Valued Contributor.
Valued Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

Hello All,

Michel, I followed your advice with no success..

My incoming logs are sent in CEF (well parsed) and another format where my flex will be used.

An extract from my agent.properties :

agents[0].customsubagentlist=flexagent_syslog|cef_syslog

agents[0].usecustomsubagentlist=true

I put "myflex_syslog.subagent.sdkrfilereader.properties" in flexagent/syslog

My syslog.properties :

syslog.subagentdef=10.X.X.X\:cef_syslog,10.X.X.X\:cef_syslog,10.X.X.X\:passthrough_syslog

The "passthrough_syslog" is matched.


Despite agent.log said :

[2015-10-01 12:54:38,474][INFO ][default.com.arcsight.agent.sdk.c.q][init] Successfully Parsed properties from file [syslog/myflex_syslog.subagent]

[2015-10-01 13:04:35,206][INFO ][default.com.arcsight.agent.sdk.c.q][init] Successfully Parsed properties from file [syslog/myflex_syslog.subagent]

[2015-10-01 13:08:25,176][INFO ][default.com.arcsight.agent.sdk.c.q][init] Successfully Parsed properties from file [syslog/myflex_syslog.subagent]

I reallly think I'm close to the solution..

I'm in 7.1.4 version.

I'm still searching..

Thank you for your help, there's a deadly detail missing..


EDIT : Ok.. I got a whitespace in my regex. Thanks for the tips.

0 Likes
Highlighted
kitdaddio Absent Member.
Absent Member.

Re: flex connector properties file not picked up and syslog.properties problem

See if you have a line in the agent.properties file such as:

agents[0].configfolder=xxx


If so, create a sub-folder of that name (xxx) under the flexagent folder, and  put the flex properties file there.


0 Likes
kitdaddio Absent Member.
Absent Member.

Re: flex connector properties file not picked up and syslog.properties problem

> agents[0].customsubagentlist=flexagent_syslog|cef_syslog


That should probably be a slash / not a backslash \.


I put "myflex_syslog.subagent.sdkrfilereader.properties" in flexagent/syslog

IDK. Maybe try a folder name of flexagent/flexagent_syslog rather than flexagent/syslog

0 Likes
sem-eng Valued Contributor.
Valued Contributor.

Re: flex connector properties file not picked up and syslog.properties problem

Hi All,

The thing is, when you configure flex_agent in customsubagentlist from agent.prop (maybe with another one), there are no logs in agent.log telling you that your regex didn't match.

The agent detect automatically as passthrough_syslog in syslog.properties

Regards.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.