Knowledge Partner
Knowledge Partner
474 views

custom.js in 8.2

Hello,

Recently after upgrading to 8.2 and the NetIQ Universal Collector to
2011.r6 I'm having some trouble with my custom.js code that's been
working for the last 4 years.

I'm capturing events from Linux boxes using the Syslog connector
2018.1r2 both using TCP and UDP.

In the debugger I set a breakpoint at the if in my function:

Record.prototype["parse-kernel"] = function(message, e) {
if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
//do some stuff here
}

The trouble is that the e.ReporterIP doesn't exist any more.

I'm not sure how to proceed.
If I look at the "e" object on the "Locals" tab in the debugger there
are not many properties set except a bunch of functions and stuff like
ObserverType, ObserverCategory etc.

It looks like the event isn't preprocessed before being sent to custom.js


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: custom.js in 8.2

On 2018-11-18 22:37, alekz wrote:
> In the debugger I set a breakpoint at the if in my function:
>
> Record.prototype["parse-kernel"] = function(message, e) {
>     if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
>     //do some stuff here
>      }
>
> The trouble is that the e.ReporterIP doesn't exist any more.



The *connector* should put the information into this.s_SyslogRelayIp

This field contains the IP address of the device (or client computer)
that this message came from. Note that it may or may not be the same as
the host name found in the message header.

--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: custom.js in 8.2

On 2018-11-19 11:27, Norbert Klasen wrote:
> On 2018-11-18 22:37, alekz wrote:
>> In the debugger I set a breakpoint at the if in my function:
>>
>> Record.prototype["parse-kernel"] = function(message, e) {
>>      if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
>>      //do some stuff here
>>       }
>>
>> The trouble is that the e.ReporterIP doesn't exist any more.

>
>
> The *connector* should put the information into this.s_SyslogRelayIp
>
> This field contains the IP address of the device (or client computer)
> that this message came from. Note that it may or may not be the same as
> the host name found in the message header.
>

Hi Norbert,

I can confirm that I can see this.s_SyslogRelayIp.
But when is it mapped to e.ReporterIP? Is that done by the Collector or
Connector?

Thanks.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: custom.js in 8.2

On 2018-11-19 12:53, alekz wrote:
> I can confirm that I can see this.s_SyslogRelayIp.
> But when is it mapped to e.ReporterIP? Is that done by the Collector or
> Connector?


The connector only provides the Record (this) object. The collector's
job is to create and populate an Event (e) object.


--
Norbert
0 Likes
brandon-langley Absent Member.
Absent Member.

Re: custom.js in 8.2

alekz;2491098 wrote:
On 2018-11-19 11:27, Norbert Klasen wrote:
> On 2018-11-18 22:37, alekz wrote:
>> In the debugger I set a breakpoint at the if in my function:
>>
>> Record.prototype["parse-kernel"] = function(message, e) {
>> **** if (e.ReporterIP == "aaa.bbb.ccc.ddd") {
>> *****//do some stuff here
>> ***** }
>>
>> The trouble is that the e.ReporterIP doesn't exist any more.

>
>
> The *connector* should put the information into this.s_SyslogRelayIp
>
> This field contains the IP address of the device (or client computer)
> that this message came from. Note that it may or may not be the same as
> the host name found in the message header.
>

Hi Norbert,

I can confirm that I can see this.s_SyslogRelayIp.
But when is it mapped to e.ReporterIP? Is that done by the Collector or
Connector?

Thanks.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.


A lot of collectors have boilerplate code in preParse() that sets these values directly on e. I personally prefer this practice, but as a general rule you cannot blindly count on e being populated until the event is actually being sent. So (unfortunately) for each collector you have to know whether e is being updated directly by the collector, of whether it relies entirely on rec2evt.map, and make your customization choices accordingly.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.