oyarsa Absent Member.
Absent Member.
756 views

Can't populate MAC fields

Using Sentinel 8.1 on SLES

I am not able to populate the MAC fields SourceMAC and TargetMAC. I have tried using colons and dashes in between the couplets as well as just the 12 characters. I know that the parsing is working because when I put the variable into Message it works. I have tried using the rec2evt.map andassigning directly using e.SourceMAC = this.smac.

I looked at the schema, and it says that these fields are datatype MAC. Is there something special I need to do in order to populate these fields?
Thanks
Russ
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Can't populate MAC fields

Typically I assign directly to the event object, and then be sure that the
corresponding attribute is NOT set on the record (rec) object. I usually
also remove the mapping from rec2evt.map since that's just asking for
trouble, in my opinion.

I see some comment-out code in the SDK which would seem to just want the
six sets of hexadecimal characters separated by colons as you would
expect, so I'd stick with that:


e.smac = 'aa:bb:cc:dd:ee:ff';


That the code is commented out makes me wonder if it was problematic for
others, though; who knows. See
current/sdk/common/Collector/src/unix-common.js for the examples to which
I am referring.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
oyarsa Absent Member.
Absent Member.

Re: Can't populate MAC fields

Thanks, ab. I hadn't tried assigning a hard-coded MAC. But that also didn't work.

Are there any other ideas? Which logs should I look at to see an error trying to assign a value? I tried debugging, but it appears to be assigning the value correctly to the variable, it just won't populate anything into the record's SourceMAC or TargetMAC fields.

Thanks in advance for any help.
0 Likes
jarivaahtera Absent Member.
Absent Member.

Re: Can't populate MAC fields

We have this exactly same problem but with SessionID value. We have a custom collector that works in Sentinel 7 version but now as we have upgraded to Sentinel 8 version it doesn't set that variable any more. I've also tried to modify the code to be like NetIQ's Microsoft Active Directory and Windows -plugin where the SessionID is set correctly but it still does not work. The plugin that we have done is made with the newest SDK. I also did debugging like oyarsa says and it seems to assing the value correctly. Then i tried to set the value to CustomerVar and it works as it should. So what is wrong with the SessionID in Sentinel?
0 Likes
Highlighted
brandon-langley Absent Member.
Absent Member.

Re: Can't populate MAC fields

oyarsa;2483890 wrote:
Thanks, ab. I hadn't tried assigning a hard-coded MAC. But that also didn't work.

Are there any other ideas? Which logs should I look at to see an error trying to assign a value? I tried debugging, but it appears to be assigning the value correctly to the variable, it just won't populate anything into the record's SourceMAC or TargetMAC fields.

Thanks in advance for any help.


server0.0.log/collector_mgr0.0.log are the right places to look. You're looking for a SEVERE or a WARN that suggests the event field was invalid somehow.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.