Highlighted
mitcheli Absent Member.
Absent Member.
910 views

Debugging XML Flex Connector

Jump to solution

I have a flex connector that's been developed that has the following config file:

trigger.node.expression=event
token.count=8

token[0].name = messageText
token[0].type = String
token[0].expression = /event/messageText

token[1].name = startTime
token[1].type = TimeStamp
token[1].location = /event/startTime
token[1].format = yyyy-MM-dd'T'HH:mm:ss'Z'

token[2].name = attackerAddress
token[2].type = IPAddress
token[2].location = /event/attackerAddress

token[3].name = targetAddress
token[3].type = IPAddress
token[3].location = /event/targetAddress

token[4].name = deviceAddress
token[4].type = IPAddress
token[4].location = /event/deviceAddress

token[5].name = priority
token[5].type = Integer
token[5].location = /event/priority

token[6].name = deviceVendor
token[6].type = String
token[6].location = /event/deviceVendor

token[7].name = deviceProduct
token[7].type = String
token[7].location = /event/deviceProduct

event.eventName=messageText
event.startTime=startTime
event.attackerAddress=attackerAddress
event.targetAddress=targetAddress
event.deviceAddress=deviceAddress
event.priority=priority
event.deviceVendor=deviceVendor
event.deviceProduct=deviceProduct

The problem is, if token.count is anything greater than 1, I get the following errors when trying to start the connector:

[GC 26630K->4275K(259264K), 0.0302530 secs]
[Tue Sep 14 10:07:07 CDT 2010] [INFO ] Zone based filtering disabled.
[Tue Sep 14 10:07:07 CDT 2010] [INFO ] HTTP Compression enabled.
FATAL EXCEPTION:
Could not initialize the parser[myfile.xqueryparser.properties] successfully
FATAL EXCEPTION:
Parser not initialized correctly
[GC 27635K->7599K(259264K), 0.0192100 secs]

If I leave token.count = 1, then I don't get any events even though the agent appears to be running as I monitor the logs. It does see the XML files and will say that it's parsing it, but nothing happens beyond that in the manager.

I thought that perhaps the time stamp might have issues, but even removing that and setting the token.count to 7 still makes no difference.

Any ideas?

0 Likes
Reply
1 Solution

Accepted Solutions
justin.kelso@hp Absent Member.
Absent Member.

Re: Debugging XML Flex Connector

Jump to solution

You can find the FlexConnector Creation Guide here:

https://software.arcsight.com/documentation/agentdocinstall/AgentDocs/agentConfigDocs/FlexConn_DevGuideConfig.pdf

Also, there is a flex connector class availible too! 

0 Likes
Reply
3 Replies
justin.kelso@hp Absent Member.
Absent Member.

Re: Debugging XML Flex Connector

Jump to solution

Now, keep in mind that this connector could be broken on multiple levels, but two things I see off the bat are:

1. event.eventName=messageText    should be    event.name=messageText

2. event.startTime=startTime       should be      event.endTime=startTime   (I say this because you have to map end time. You can map the start time token again to start time also, but you need to declare the end time for the event.)

oh, and two more...

3. event.attackerAddress=attackerAddress   should be     event.sourceAddress=attackerAddress (Connectors map source, manager derives attacker)

4. event.targetAddress=targetAddress     should be    event.destinationAddress=targetAddress   (Same as above).

As I said, there could be more going on, but that's what I see off the bat.

0 Likes
Reply
mitcheli Absent Member.
Absent Member.

Re: Debugging XML Flex Connector

Jump to solution

So that would be an epic fail on mapping the connector's event data. Is there a resource I can track down that identifies the elements available to the connector? I suppose I made the assumption they would be the same as the ones in the manager.

Then I shall go and RTFM.

0 Likes
Reply
justin.kelso@hp Absent Member.
Absent Member.

Re: Debugging XML Flex Connector

Jump to solution

You can find the FlexConnector Creation Guide here:

https://software.arcsight.com/documentation/agentdocinstall/AgentDocs/agentConfigDocs/FlexConn_DevGuideConfig.pdf

Also, there is a flex connector class availible too! 

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.