david_auquiere Absent Member.
Absent Member.
954 views

debug DB collector with file

Hello,

I try to debug DB collector. On the production collector, I take a dump file of events retrieved from db and I try to launch debug using this file but it seems nothing is red.
Could you help me how to debug DB collector with dumpfile. do you know the procedure? is there specific things to take dump file for DB?

thanks,

david
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: debug DB collector with file

It may help if you give us a few more details:

Sentinel version (and patch level)
Database connector version
Database used
Exact steps used to try to use the connector dump

With a connector dump you must create a new File connector beneath your
collector, then create an event source beneath that with its type set to
'File Replay' or something like that. This event source (ES) is then what
points to your newly-generated connector dump file, probably stored on the
Collector Manager (CM) machine still. When setting up the file-based ES
you may also want to be sure that you set the offset to always start at
the beginning of the file so that each time you restart the ES you get the
events again.

Since we are in the SDK forum, it may be worth pointing out that doing
this in the SDK is much nicer in general because it keeps Sentinel out of
the picture. If that is your goal then you may want to let us know that's
the case explicitly, and then you need to put the connector dump file in
place of the variety.dump file within the SDK's directory structure for
this collector you are building.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
david_auquiere Absent Member.
Absent Member.

Re: debug DB collector with file

First of all thanks for your support

Sentinel version is 8.1
Database connector version is 2011.1r2 (Databased JDBC) - We use Custom as Database type as we use service name to connect DB
Oracle 12c

To make the dump file, I only check the "Copy raw data to a file". When I look the file, I have the feeling the layout is not ok

First line is related to request but no records red (I remove info to avoid public sharing )
{"i_TrustDeviceTime":"","s_db_hostname":null,"s_RV24":"","s_RV25":"","s_RV22":"","Row_Left":"-2","s_RV23":"","o":"1","s_db_port":null,"s_RV21":","CONNECTION_MODE":"map","sf":"1","DEVICE_OFFSET":"20170522102347.513429","s_db_dbtype":"Custom","CONNECTION_METHOD":"DATABASE","s_db_database":null,"s_RXBufferString":"","i_RXBufferLength":"0"}

Second line for example begin by column read from DB and not by "{i...} (the line is not complete for private info)
{"col_AUDIT_COLUMN_VALUE14":"","col_AUDIT_COLUMN_VALUE15":"","col_AUDIT_COLUMN_VALUE12":"","col_AUDIT_COLUMN_VALUE13":"","col_AUDIT_COLUMN_VALUE10":"","i_TrustDeviceTime":"",

When retrieve, I define a file connector and a event source (file encoding = system default, no rotation, localbox) pointing on this dump. When I launch the debug event is received but seems empty...

Why I debug in EMS is that I would like to trigger correlation rule and action....

To debug in eclipse, is there a document explain all details of plugin. What is the procedure to debug in eclipse...

Thanks again,

David

ab;2457964 wrote:
It may help if you give us a few more details:

Sentinel version (and patch level)
Database connector version
Database used
Exact steps used to try to use the connector dump

With a connector dump you must create a new File connector beneath your
collector, then create an event source beneath that with its type set to
'File Replay' or something like that. This event source (ES) is then what
points to your newly-generated connector dump file, probably stored on the
Collector Manager (CM) machine still. When setting up the file-based ES
you may also want to be sure that you set the offset to always start at
the beginning of the file so that each time you restart the ES you get the
events again.

Since we are in the SDK forum, it may be worth pointing out that doing
this in the SDK is much nicer in general because it keeps Sentinel out of
the picture. If that is your goal then you may want to let us know that's
the case explicitly, and then you need to put the connector dump file in
place of the variety.dump file within the SDK's directory structure for
this collector you are building.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: debug DB collector with file

On 05/23/2017 01:34 AM, david auquiere wrote:
>
> Sentinel version is 8.1


I presume you mean 8.0 SP1, as 8.1 have not been released

> Database connector version is 2011.1r2 (Databased JDBC) - We use Custom
> as Database type as we use service name to connect DB
> Oracle 12c


Have you tried out the 2011.1r3 version of the connector? It's on the
preview site, so technically it's not officially released, but I've had
great luck with using these as a rule:
https://www.netiq.com/support/sentinel/plugins/preview.html

> To make the dump file, I only check the "Copy raw data to a file". When


That's all you need to do.

> I look the file, I have the feeling the layout is not ok
>
> First line is related to request but no answer
> {"i_TrustDeviceTime":"","s_db_hostname":null,"s_RV24":"4E4199E0-0BAB-1035-AC32-772E254C890A","s_RV25":"C443E0B6-20F4-1035-83B8-002655846860","s_RV22":"36224203-0BAC-1035-86BA-5452000DFA15","Row_Left":"-2","s_RV23":"4E4199E0-0BAB-1035-ACB5-772E254C890A","o":"1","s_db_port":null,"s_RV21":"83BA0E42-20F0-1030-931D-5452000DFA15","CONNECTION_MODE":"map","sf":"1","DEVICE_OFFSET":"20170522102347.513429","s_db_dbtype":"Custom","CONNECTION_METHOD":"DATABASE","s_db_database":null,"s_RXBufferString":"","i_RXBufferLength":"0"}
>
> Second line for example begin by column read from DB and not by "{i...}
> (the line is not complete to avoid sharing public info:))
> {"col_AUDIT_COLUMN_VALUE14":"","col_AUDIT_COLUMN_VALUE15":"","col_AUDIT_COLUMN_VALUE12":"","col_AUDIT_COLUMN_VALUE13":"","col_AUDIT_COLUMN_VALUE10":"","i_TrustDeviceTime":"",


I'll presume you see good things there.

> When retrieve, I define a file connector and a event source (file
> encoding = system default, no rotation, localbox) pointing on this dump.
> When I launch the debug event is received but seems empty...


There should be a drop-down where you can specify this is a replayed file;
if you are not doing that then you may not get what you want.

> Why I debug in EMS is that I would like to trigger correlation rule and
> action....
>
> To debug in eclipse, is there a document explain all details of plugin.
> What is the procedure to debug in eclipse...


I created a series of AppNotes (CoolSolutions that are fairly technical) a
while back and one of them is on the debugger using the 2014 pre-release
(still a pre-release I think) version of the SDK:

https://www.netiq.com/communities/cool-solutions/sentinel-collector-sdk-2014-updates-debugger/

This will not help with correlation, reporting, or other Sentinel-ish
things other than basic collection. It is also primarily targeted for new
development, not using shipping collectors, so that may be a bit of a
burden to wedge in there. For now your use of ESM is probably the right
thing. You may want to check your Collector Manager (CM) log file,
usually at /var/opt/novell/sentinel/log/collector_mgr0.0.log on the CM
machine, from the time of your collection or replay to see if you have any
big obvious errors in there as will usually show up when there is a major
parsing problem.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.