Highlighted
Absent Member.
Absent Member.
314 views

Use SLES collector as a starting point for another distro?

Hello,
I have a Linux based router/firewall that I want to connect to Sentinel.
I started writing a custom collector but after seeing the events I can
see that they are we much like the events that SLES produces.

So I don't want to start from scratch.

Can I use the SLES collector as a base and "trick" it into collecting
events from my router/firewall instead of the events going to the NetIQ
Universal Collector?

Thanks.

-alekz
0 Likes
2 Replies
Highlighted
Absent Member.
Absent Member.

Sure, though be sure to change a few things, and in fact it may be better
to start with a new collector and then just copy a lot from release.js (or
whichever other file) into it, but you decide there.

1. Be SURE the UUID changes on the collector. I'd do this by creating a
new collector plugin from the SDK, then steal the UUID from the
package.xml file (I think that's the one once compiled.. not sure it's
there until compiled though, but the UUID is still in there somewhere) and
put it into your new non-SLES collector.

In the connectionmethods.* file you'll find some logic that tells Sentinel
which events should come to this (meaning your old SLES that you copied)
collector. Be sure to change that so that the system does not match SLES
events to this collector, and so that it does match your other events to
this collector. This can be done by some application ID or by some
pattern present in all of the events.

The name of the new collector plugin should be changed too, of course.

There may be more things, but those two for sure should be updated for
your new type of event.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.


alekz;243043 Wrote:
> Hello,
> I have a Linux based router/firewall that I want to connect to
> Sentinel.
> I started writing a custom collector but after seeing the events I can
> see that they are we much like the events that SLES produces.
>
> So I don't want to start from scratch.
>
> Can I use the SLES collector as a base and "trick" it into collecting
> events from my router/firewall instead of the events going to the NetIQ
> Universal Collector?
>
> Thanks.
>
> -alekz


First thing to check is 'do you need a new collector just for this OS'?
The NetIQ Universal Collector parses most unix events that we
currently support across the collectors; in many cases unless you need a
full dedicated collector for other reasons, it's better to just tack on
some custom parsing (though custom.js, see 'Collector Customization',
http://tinyurl.com/loec9qm). If you create a new collector, you have
to deal with some special problems like device discovery or the manual
effort of assigning event sources to that collector; so if you're just
trying to catch something small, extending the Universal collector is a
good first step to try.


--
brandon.langley
------------------------------------------------------------------------
brandon.langley's Profile: https://forums.netiq.com/member.php?userid=350
View this thread: https://forums.netiq.com/showthread.php?t=50461

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.