Highlighted
Respected Contributor.
Respected Contributor.
135 views

flexagent subagent parser not parsing

rawevents:

Raw eventRaw event

Hi Gurus,

As seen from above, I'm interested at 2-3 specific raw events out of many other type of event ID with the same regex pattern:

wsmd[xxxxx]: [wsmd.NOTICE]: xxxxxxxxxxxxxxxxxxxx

Hence, i've written the following subparser:

/current/user/agent/flexagent/syslog/fireeye.subagent.sdkrfilereader.properties

The agent.properties:

agents[0].customsubagentlist=cef_syslog|....(some other default agent in here)....|flexagent_syslog|....(some other default agent in here)....|generic_syslog|passthrough_syslog

agents[0].unparsedevents.log.enabled=true
agents[0].usecustomsubagentlist=true

But the flexagent didn't get it's chance to parse the raw events. Those 2-3 raw events which i'm interested were parsed with generic_syslog instead:

172.18.5.88\:cef_syslog|generic_syslog|passthrough_syslog

 

Help?

0 Likes
2 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

Hey!

I'd try using double backslashes everywhere needed to escape, also put flexagent_syslog at the start of the row in agent.properties, and delete $arcsight_home/current/user/agent/syslog.properties then restart the connector. (and it's worth a try putting .*? at the start of the regex if it does not work).

 

Hope this helps.

 

Regards, Thomas.

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

@yhann1 

18505, 22351, 12988, 21042, 46083, 43517, 13827 look for me like the pids of a process and not really a message id, it might work today, but maybe not after a restart of the applaince...

the " FIPS Mode and Common Criteria HX Series Addendum Release 1.0" also supports my assumption.
 
"Successful Login Attempt"
The following is the format of an audit message for a successful login attempt:
Timestamp Hostname mgmtd[pid]: [mgmtd.NOTICE]: AUDIT: User login: username ‘username’, full name 'full name', role 'admin', client 'session
 
so i think its worth to adjust your parser design.
 
 
for support on what to put where and so on...
KR
A
 
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.