Anonymous_User Absent Member.
Absent Member.
347 views

Behaviors between generic collector and custom collector


Hi all,

I tried writing my own collector for new log format parsing, and it was
using syslog connector.
The original log was an application log, and it didn't have the appid
tag.

For a log example:
Oct 12 12:09:04 192.168.30.40 A new user account lliu has been created
by admin.

I haven't defined a property for the application id in
connectionMethods.xml, because the original logs didn't have the appid
tag.

For the log parsing testing:
I used netcat command for log sending test. Sentinel Log Manager
launched the generic collector for the new event source, and it couldn't
pass the log to my custom collector. Then I tried choosing the new event
source, and selected a collector plugin for the exact collector mapping.
The new event source has moved and mapped to my custom collector. I
thought that was okay. So I tried to send logs again. The generic
collector created the same event source again. Sentinel Log Manager
didn't help to transfer logs to my custom collector.

Would you share with me your experience? How did you handle the kind of
logs without appid? I would like to know the process of Sentinel Log
Manager more clear between generic collector and other collectors.

Thanks!


--
lliu
------------------------------------------------------------------------
lliu's Profile: http://forums.novell.com/member.php?userid=7010
View this thread: http://forums.novell.com/showthread.php?t=446501

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Behaviors between generic collector and custom collector


Hi there,

The Connector behavior is documented in detail in the Connector manual,
I believe. My understanding is that the Connector tries to identify
"new" event sources based on the *content* of inbound messages - so in
your example above, it would detect a new source labeled 192.168.30.40.
In this case it actually doesn't matter if the data was actually being
sent from some other IP address - the Connector cares about the IP
address in the syslog header. If, however, the message was sent from IP
A and no syslog header was present at all (e.g. the message started with
"A new user..."), then per the RFC the Syslog Connector would inject the
syslog header and identify a new source with IP A.

So one possibility is that the second time you tried this, you sent
data from a different IP address. Also, the Connector doesn't correlate
IPs/hostnames, so if you sent data with the hostname in the header
instead of the IP, that would also be seen as a new source.

I'd check these basics first, and if that still doesn't resolve the
issue we'll dig deeper.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=446501

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.