agorian Trusted Contributor.
Trusted Contributor.
441 views

Generate event: Parsing failed: Event ID not recognized


Hi all,

IDM 4.0.1a AE, SUSE 11SP1.

I created a loopback driver to do some tests about events to sentinel,
but I’m receiving an error when I look at Sentinel Control Center:
- Event Name: Collector Internal Message
- Message: Parsing failed: Event ID not recognized; input: undefined
Full event:

Code:
--------------------

Name
Value
CollectorID
D892E9F0-3CA7-102B-B59E-005056C00005
CollectorManagerID
Sentinel Server (C76D2820-C395-1029-BB86-001321B5C0B3)
CollectorNodeName
Novell Identity Manager
CollectorPluginID
6697F190-8F23-102C-9FAB-005056C00008
CollectorPluginName
Novell Identity Manager
ConnectorID
Audit Connector (D892E9F0-3CA7-102B-B59F-005056C00005)
EventID
61F2B082-2D96-102F-BD28-0040A71B8E2A
EventName
Collector Internal Message
EventSourceID
Audit Event Source:10.100.228.131 (24FA5EF0-2A4C-102F-B39E-0040A71B8E2A)
EventTime
2012 January 30 16:28:43 UTC-2
IDSName
Identity Manager
Message
Parsing failed: Event ID not recognized; input: undefined
MinRetentionDate
2012 April 29 21:00:00 UTC-3
ObserverCategory
IDM
ObserverHostID
0
ObserverTZ
America/Sao_Paulo
ObserverTZDayInMonth
30
ObserverTZDayInWeek
2
ObserverTZDayInYear
30
ObserverTZHour
16
ObserverTZMinute
28
ObserverTZMonth
0
ObserverType
A
ProductName
Novell Identity Manager
RawDataRecordId
61F2B082-2D96-102F-BD27-0040A71B8E2A
ReporterHostID
0
RetentionPolicyID
System Events
SearchServerId
CDF88D20-0331-102F-8A22-0040A71B8E2A
SearchServerName
[Local]
SentinelID
CDF88D20-0331-102F-897F-0040A71B8E2A
SentinelProcessTime
2012 January 30 16:28:43 UTC-2
SentinelServiceID
D892E9F0-3CA7-102B-B59E-005056C00005
Severity
4
SourceHostID
0
Tags
Sentinel
TargetHostID
0
TenantHierarchyID
0
TenantName
unknown
Vulnerability
0

--------------------


I copied the code from many sources (forums, cool solutions, downloaded
the example codes) but always got the same error.

Code:
--------------------

<do-generate-event id="1008" level="log-emergency">
<arg-string name="target">
<token-text xml:space="preserve">EDIRCD</token-text>
</arg-string>
<arg-string name="text1">
<token-text xml:space="preserve">EDIRCD</token-text>
</arg-string>
<arg-string name="text2">
<token-text xml:space="preserve">EDIRCD</token-text>
</arg-string>
<arg-string name="text3">
<token-text xml:space="preserve">EDIRCD</token-text>
</arg-string>
<arg-string name="value1">
<token-text xml:space="preserve">EDIRCD</token-text>
</arg-string>
<arg-string name="value2">
<token-text xml:space="preserve">EDIRCD</token-text>
</arg-string>
<arg-string name="value3">
<token-text xml:space="preserve">EDIRCD</token-text>
</arg-string>
</do-generate-event>
<do-set-local-variable name="LVUsers3">
<arg-string>
<token-text xml:space="preserve">User:</token-text>
<token-op-attr name="cn"/>
<token-text xml:space="preserve"> added to the </token-text>
<token-text xml:space="preserve">Training\Users\Active\Users3</token-text>
<token-text xml:space="preserve"> container</token-text>
</arg-string>
</do-set-local-variable>
<do-generate-event id="1000">
<arg-string name="text1">
<token-local-variable name="LVUsers3"/>
</arg-string>
</do-generate-event>

--------------------


What do I’m doing wrong?


--
agorian
------------------------------------------------------------------------
agorian's Profile: http://forums.novell.com/member.php?userid=53023
View this thread: http://forums.novell.com/showthread.php?t=451543

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Generate event: Parsing failed: Event ID not recognized

I am not 100% certain where to look but some of those fields might be
integers or some other syntax, and dumping a string into them might
cause an issue.


On 1/30/2012 1:56 PM, agorian wrote:
>
> Hi all,
>
> IDM 4.0.1a AE, SUSE 11SP1.
>
> I created a loopback driver to do some tests about events to sentinel,
> but I�m receiving an error when I look at Sentinel Control Center:
> - Event Name: Collector Internal Message
> - Message: Parsing failed: Event ID not recognized; input: undefined
> Full event:
>
> Code:
> --------------------
>
> Name
> Value
> CollectorID
> D892E9F0-3CA7-102B-B59E-005056C00005
> CollectorManagerID
> Sentinel Server (C76D2820-C395-1029-BB86-001321B5C0B3)
> CollectorNodeName
> Novell Identity Manager
> CollectorPluginID
> 6697F190-8F23-102C-9FAB-005056C00008
> CollectorPluginName
> Novell Identity Manager
> ConnectorID
> Audit Connector (D892E9F0-3CA7-102B-B59F-005056C00005)
> EventID
> 61F2B082-2D96-102F-BD28-0040A71B8E2A
> EventName
> Collector Internal Message
> EventSourceID
> Audit Event Source:10.100.228.131 (24FA5EF0-2A4C-102F-B39E-0040A71B8E2A)
> EventTime
> 2012 January 30 16:28:43 UTC-2
> IDSName
> Identity Manager
> Message
> Parsing failed: Event ID not recognized; input: undefined
> MinRetentionDate
> 2012 April 29 21:00:00 UTC-3
> ObserverCategory
> IDM
> ObserverHostID
> 0
> ObserverTZ
> America/Sao_Paulo
> ObserverTZDayInMonth
> 30
> ObserverTZDayInWeek
> 2
> ObserverTZDayInYear
> 30
> ObserverTZHour
> 16
> ObserverTZMinute
> 28
> ObserverTZMonth
> 0
> ObserverType
> A
> ProductName
> Novell Identity Manager
> RawDataRecordId
> 61F2B082-2D96-102F-BD27-0040A71B8E2A
> ReporterHostID
> 0
> RetentionPolicyID
> System Events
> SearchServerId
> CDF88D20-0331-102F-8A22-0040A71B8E2A
> SearchServerName
> [Local]
> SentinelID
> CDF88D20-0331-102F-897F-0040A71B8E2A
> SentinelProcessTime
> 2012 January 30 16:28:43 UTC-2
> SentinelServiceID
> D892E9F0-3CA7-102B-B59E-005056C00005
> Severity
> 4
> SourceHostID
> 0
> Tags
> Sentinel
> TargetHostID
> 0
> TenantHierarchyID
> 0
> TenantName
> unknown
> Vulnerability
> 0
>
> --------------------
>
>
> I copied the code from many sources (forums, cool solutions, downloaded
> the example codes) but always got the same error.
>
> Code:
> --------------------
>
> <do-generate-event id="1008" level="log-emergency">
> <arg-string name="target">
> <token-text xml:space="preserve">EDIRCD</token-text>
> </arg-string>
> <arg-string name="text1">
> <token-text xml:space="preserve">EDIRCD</token-text>
> </arg-string>
> <arg-string name="text2">
> <token-text xml:space="preserve">EDIRCD</token-text>
> </arg-string>
> <arg-string name="text3">
> <token-text xml:space="preserve">EDIRCD</token-text>
> </arg-string>
> <arg-string name="value1">
> <token-text xml:space="preserve">EDIRCD</token-text>
> </arg-string>
> <arg-string name="value2">
> <token-text xml:space="preserve">EDIRCD</token-text>
> </arg-string>
> <arg-string name="value3">
> <token-text xml:space="preserve">EDIRCD</token-text>
> </arg-string>
> </do-generate-event>
> <do-set-local-variable name="LVUsers3">
> <arg-string>
> <token-text xml:space="preserve">User:</token-text>
> <token-op-attr name="cn"/>
> <token-text xml:space="preserve"> added to the</token-text>
> <token-text xml:space="preserve">Training\Users\Active\Users3</token-text>
> <token-text xml:space="preserve"> container</token-text>
> </arg-string>
> </do-set-local-variable>
> <do-generate-event id="1000">
> <arg-string name="text1">
> <token-local-variable name="LVUsers3"/>
> </arg-string>
> </do-generate-event>
>
> --------------------
>
>
> What do I�m doing wrong?
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Generate event: Parsing failed: Event ID not recognized

based on the return I would say that the issue isn't in your IDM token but in your Sentinel config.
The rule looks fine but I think what you are getting is that Sentinel doesn't know what to do with
that event ID.

On 1/30/2012 2:12 PM, Geoffrey Carman wrote:
> I am not 100% certain where to look but some of those fields might be integers or some other syntax,
> and dumping a string into them might cause an issue.
>
>
> On 1/30/2012 1:56 PM, agorian wrote:
>>
>> Hi all,
>>
>> IDM 4.0.1a AE, SUSE 11SP1.
>>
>> I created a loopback driver to do some tests about events to sentinel,
>> but I�m receiving an error when I look at Sentinel Control Center:
>> - Event Name: Collector Internal Message
>> - Message: Parsing failed: Event ID not recognized; input: undefined
>> Full event:
>>
>> Code:
>> --------------------
>>
>> Name
>> Value
>> CollectorID
>> D892E9F0-3CA7-102B-B59E-005056C00005
>> CollectorManagerID
>> Sentinel Server (C76D2820-C395-1029-BB86-001321B5C0B3)
>> CollectorNodeName
>> Novell Identity Manager
>> CollectorPluginID
>> 6697F190-8F23-102C-9FAB-005056C00008
>> CollectorPluginName
>> Novell Identity Manager
>> ConnectorID
>> Audit Connector (D892E9F0-3CA7-102B-B59F-005056C00005)
>> EventID
>> 61F2B082-2D96-102F-BD28-0040A71B8E2A
>> EventName
>> Collector Internal Message
>> EventSourceID
>> Audit Event Source:10.100.228.131 (24FA5EF0-2A4C-102F-B39E-0040A71B8E2A)
>> EventTime
>> 2012 January 30 16:28:43 UTC-2
>> IDSName
>> Identity Manager
>> Message
>> Parsing failed: Event ID not recognized; input: undefined
>> MinRetentionDate
>> 2012 April 29 21:00:00 UTC-3
>> ObserverCategory
>> IDM
>> ObserverHostID
>> 0
>> ObserverTZ
>> America/Sao_Paulo
>> ObserverTZDayInMonth
>> 30
>> ObserverTZDayInWeek
>> 2
>> ObserverTZDayInYear
>> 30
>> ObserverTZHour
>> 16
>> ObserverTZMinute
>> 28
>> ObserverTZMonth
>> 0
>> ObserverType
>> A
>> ProductName
>> Novell Identity Manager
>> RawDataRecordId
>> 61F2B082-2D96-102F-BD27-0040A71B8E2A
>> ReporterHostID
>> 0
>> RetentionPolicyID
>> System Events
>> SearchServerId
>> CDF88D20-0331-102F-8A22-0040A71B8E2A
>> SearchServerName
>> [Local]
>> SentinelID
>> CDF88D20-0331-102F-897F-0040A71B8E2A
>> SentinelProcessTime
>> 2012 January 30 16:28:43 UTC-2
>> SentinelServiceID
>> D892E9F0-3CA7-102B-B59E-005056C00005
>> Severity
>> 4
>> SourceHostID
>> 0
>> Tags
>> Sentinel
>> TargetHostID
>> 0
>> TenantHierarchyID
>> 0
>> TenantName
>> unknown
>> Vulnerability
>> 0
>>
>> --------------------
>>
>>
>> I copied the code from many sources (forums, cool solutions, downloaded
>> the example codes) but always got the same error.
>>
>> Code:
>> --------------------
>>
>> <do-generate-event id="1008" level="log-emergency">
>> <arg-string name="target">
>> <token-text xml:space="preserve">EDIRCD</token-text>
>> </arg-string>
>> <arg-string name="text1">
>> <token-text xml:space="preserve">EDIRCD</token-text>
>> </arg-string>
>> <arg-string name="text2">
>> <token-text xml:space="preserve">EDIRCD</token-text>
>> </arg-string>
>> <arg-string name="text3">
>> <token-text xml:space="preserve">EDIRCD</token-text>
>> </arg-string>
>> <arg-string name="value1">
>> <token-text xml:space="preserve">EDIRCD</token-text>
>> </arg-string>
>> <arg-string name="value2">
>> <token-text xml:space="preserve">EDIRCD</token-text>
>> </arg-string>
>> <arg-string name="value3">
>> <token-text xml:space="preserve">EDIRCD</token-text>
>> </arg-string>
>> </do-generate-event>
>> <do-set-local-variable name="LVUsers3">
>> <arg-string>
>> <token-text xml:space="preserve">User:</token-text>
>> <token-op-attr name="cn"/>
>> <token-text xml:space="preserve"> added to the</token-text>
>> <token-text xml:space="preserve">Training\Users\Active\Users3</token-text>
>> <token-text xml:space="preserve"> container</token-text>
>> </arg-string>
>> </do-set-local-variable>
>> <do-generate-event id="1000">
>> <arg-string name="text1">
>> <token-local-variable name="LVUsers3"/>
>> </arg-string>
>> </do-generate-event>
>>
>> --------------------
>>
>>
>> What do I�m doing wrong?
>>
>>

>


0 Likes
agorian Trusted Contributor.
Trusted Contributor.

Re: Generate event: Parsing failed: Event ID not recognized


In audit we need to edit the “dirxml.lsc” file but not when using
Sentinel (documentation said).

I tried to convert 1001 to number using XPATH, putted in a local
variable and used this variable in the do-generate-event but fails too.
Policy_designer.pdf tells “the provided value must result in an integer
in the range of 1000-1999 when parsed by using the parseInt method of
java.lang.Integer”. But, what is this?


--
agorian
------------------------------------------------------------------------
agorian's Profile: http://forums.novell.com/member.php?userid=53023
View this thread: http://forums.novell.com/showthread.php?t=451543

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Generate event: Parsing failed: Event ID not recognized

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The error you are getting is coming from your Sentinel collector; you
will be better-off posting in the Sentinel forum. Until then the
documentation you cited is either really old or is just wrong. Please
post a link for it to be corrected. The EventID must be in a certain
range (and I've forgotten what it is, but I think it is documented in
the .lsc file) and the data in the fields should typically be setup in a
way consistent with what usually ends up in those fields to make parsing
as painless as possible. If you venture out with other types of data or
something then you'll need to write a custom function or two to handle
that in the collector as well. Depending on the data this can be really
simple or a little complex. In any case you MUST modify the
collector-contained dirxml_custom.lsc file (I believe that is the name)
adding your custom events properly.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPJ/qOAAoJEF+XTK08PnB5nVkP/id1+8TjahKBeV3Z0KhjaQgr
aUYMgOo1iqtjSzl5t6jKp9zcMYPukzrMhGEqWkOP+cIxduGu79j2XgSmf7+NDjqo
Y7yAlbcJvD250xNUILKWwzbXGiK3tBd+MZklu9Z23IjBw2N6DI+eb5wkVRaJs5KD
Zj7wi1OdrFI9hHJVJ99Ucmw9koMfEA3tsJuFV/7AAW2XG4wBA6FRX3kPTcrfNcJ3
tTXxFI4pEP3a+VH8JvnxUIt4TkihNmsLFhTyEj/Gy116T9w20ZgfIYEvb7bLBvTg
JQp6N3w7WgLj9muJa+byKJvepfx6C1BQU4bnHKQM0JjFdCEWMZS6ouMiOxYzWMFe
nkcCwOKxDmQJdxW9Bzm0/1hAXxMTOs6LUY+IYawgULJJuciBvJKK6+WPW0Ix1hEb
ugCoAhpMgYt602r30fHrbUTkYg+iptoq7B50pbB+JNr1dvxrc8x0XTscUR63/j/0
6HH2DRMj51LmpzMbRcCkqVHlKKjBVHI7mcO/HRXW2Y3ClQ1QLemXm6lLlCwbqE6W
aMYjSuXuH9CfBYMXMpHEzbiIUJ8udljRLJY+7j3YRQa7hRnAhqHGEZs31+JC40jE
3+d8r4WOuKPw4sJ2dVoPVdLIgmGBOKNi23nAOgSJCzX35P92/HVLxsxFKmMelU8f
+4yVXqFMw444nvATetN9
=JHHN
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.