Highlighted
Absent Member.
Absent Member.
562 views

Sentinel: connectionMethods.xml / syslog-map


Hi all,


I am struggling with the connection methods in a Sentinel plugin:

Code of connectionMethods.xml:

Code:
--------------------

<?xml version="1.0" encoding="UTF-8" standalone="no"?><ConnectionMethods>
<ConnectionMethod>
<ConnectorName>SYSLOG</ConnectorName>
<IsDefault>1</IsDefault>
<ConnectionModes>
<ConnectionMode>
<InternalName>map</InternalName>
<DisplayName>Syslog:Map Output (WAF)</DisplayName>
<Description>.</Description>
<IsDefault>1</IsDefault>
<Properties>
<Property>
<Value>true</Value>
<Name>EventMap</Name>
</Property>
<Property>
<Name>Stateful</Name>
<Value>false</Value>
</Property>
<Property>
<Name>DataFormat</Name>
<Value>map</Value>
</Property>
<Property>
<Name>WAF</Name>
<Value>true</Value>
</Property>
</Properties>
</ConnectionMode>
<ConnectionMode>
<InternalName>line</InternalName>
<DisplayName>Syslog:Line Output (WAF)</DisplayName>
<Description>This mode outputs syslog data in a simple, RFC-compatible text format.</Description>
<IsDefault>0</IsDefault>
</ConnectionMode></ConnectionModes>
</ConnectionMethod>
<!-- Leave the below connection method in place for most Collectors to allow debug/replay -->
<ConnectionMethod>
<ConnectorName>FILE</ConnectorName>
........
</ConnectionMethods>

--------------------

This code works fine, I see parsed events and also a syslog map in the
cofiguration windows of the event soruce.

But as I import the plugin and start it this error is in the
server_wrapper.log

Code:
--------------------

Using default connection mode Syslog:Line Output (WAF) (line) to resolve event source configuration for event source apXXXXXe:Syslog:Map Output (universal) (ID E12EF521-A740-1033-8F12-0050568958C4) because connection mode map was not found in collector package for plugin Ergon WAF (ID D0000001-1000-A000-BBBB-0002000A1001). Check collector plugin.

--------------------


The normal way to sort the events sources
-initially the event source is listed in netiq-universal connector
-I move this source to the new connector
-parsing starts with the new connector. Done

If I only use the connection map configuration without the line option I
have the following problem:
After moving to the new connector no parsing is done here and a new
event source is again generated at the universal connector.

So I am happy now that the above config of the connectionMethod works,
but the error in the log file irritats me.


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=55262

0 Likes
1 Reply
Highlighted
Absent Member.
Absent Member.

Hi Thorsten,
since you event source seems to be using multiple tags, you should use a
UniqueMatchingRule to identify it. Please replace the string "##Airlock
WAF##" accordingly:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><ConnectionMethods>
<!-- Fine-tune any connection methods in use and eliminate unused
methods here -->
<!-- Make sure you set one method as the default -->
<ConnectionMethod>
<ConnectorName>FILE</ConnectorName>
<IsDefault>0</IsDefault>
<ConnectionModes>
<!-- Leave the below connection mode in place for most Collectors to
allow debug/replay -->
<ConnectionMode>
<InternalName>Replay</InternalName>
<DisplayName>File:Connector Dump</DisplayName>
<Description>Reads data from Connector dump files.</Description>
<IsDefault>1</IsDefault>
<Properties>
<Property>
<Value>0x0A,0x0D0x0A</Value>
<Name>Delimiter</Name>
</Property>
</Properties>
</ConnectionMode>
</ConnectionModes>
</ConnectionMethod>
<ConnectionMethod>
<ConnectorName>SYSLOG</ConnectorName>
<IsDefault>1</IsDefault>
<!-- select one of the following modes and remove the others -->
<ConnectionModes>
<ConnectionMode>
<InternalName>map</InternalName>
<DisplayName>Syslog:Map (Airlock WAF)</DisplayName>
<Description>Process Syslog format alert messages</Description>
<IsDefault>1</IsDefault>
<Properties>
<Property>
<Name>DataFormat</Name>
<Value>map</Value>
</Property>
<Property>
<Name>UniqueMatchingRule</Name>
<Value>##Airlock WAF##</Value>
</Property>
</Properties>
</ConnectionMode>
</ConnectionModes>
</ConnectionMethod>
</ConnectionMethods>

Norbert

On 28.01.2016 08:19, tfechner wrote:
>
> Hi all,
>
>
> I am struggling with the connection methods in a Sentinel plugin:
>
> Code of connectionMethods.xml:
>
> Code:
> --------------------
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?><ConnectionMethods>
> <ConnectionMethod>
> <ConnectorName>SYSLOG</ConnectorName>
> <IsDefault>1</IsDefault>
> <ConnectionModes>
> <ConnectionMode>
> <InternalName>map</InternalName>
> <DisplayName>Syslog:Map Output (WAF)</DisplayName>
> <Description>.</Description>
> <IsDefault>1</IsDefault>
> <Properties>
> <Property>
> <Value>true</Value>
> <Name>EventMap</Name>
> </Property>
> <Property>
> <Name>Stateful</Name>
> <Value>false</Value>
> </Property>
> <Property>
> <Name>DataFormat</Name>
> <Value>map</Value>
> </Property>
> <Property>
> <Name>WAF</Name>
> <Value>true</Value>
> </Property>
> </Properties>
> </ConnectionMode>
> <ConnectionMode>
> <InternalName>line</InternalName>
> <DisplayName>Syslog:Line Output (WAF)</DisplayName>
> <Description>This mode outputs syslog data in a simple, RFC-compatible text format.</Description>
> <IsDefault>0</IsDefault>
> </ConnectionMode></ConnectionModes>
> </ConnectionMethod>
> <!-- Leave the below connection method in place for most Collectors to allow debug/replay -->
> <ConnectionMethod>
> <ConnectorName>FILE</ConnectorName>
> ........
> </ConnectionMethods>
>
> --------------------
>
> This code works fine, I see parsed events and also a syslog map in the
> cofiguration windows of the event soruce.
>
> But as I import the plugin and start it this error is in the
> server_wrapper.log
>
> Code:
> --------------------
>
> Using default connection mode Syslog:Line Output (WAF) (line) to resolve event source configuration for event source apXXXXXe:Syslog:Map Output (universal) (ID E12EF521-A740-1033-8F12-0050568958C4) because connection mode map was not found in collector package for plugin Ergon WAF (ID D0000001-1000-A000-BBBB-0002000A1001). Check collector plugin.
>
> --------------------
>
>
> The normal way to sort the events sources
> -initially the event source is listed in netiq-universal connector
> -I move this source to the new connector
> -parsing starts with the new connector. Done
>
> If I only use the connection map configuration without the line option I
> have the following problem:
> After moving to the new connector no parsing is done here and a new
> event source is again generated at the universal connector.
>
> So I am happy now that the above config of the connectionMethod works,
> but the error in the log file irritats me.
>
>



--
Norbert
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.