Knowledge Partner
Knowledge Partner
317 views

How to debug universal syslog events not making it into Sentinel?

Hi.

So I have configured some Syslog sources (one HP Procurve Switch, and a
Zenworks server configured to log to syslog) to send to Sentinel, they
also automatically show up under Netiq Universal Event, I know they're
sending stuff, I can see the data in a raw collector dump and also when
looking at the raw data in ESM (and it looks sensible enough so that the
fields make sense), *but* almost nothing ever makes it so that I can
find it in Sentinel itself.

I have no filters defined, and Report Unparsed Events is set to yes,
still something somewhere is filtering/dropping those.

Any idea where else to look?

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
2 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: How to debug universal syslog events not making it into Sentinel?

I would probably check the Collector Manager (CM) log file first, just in
case something is erroring and shows up in there.

I would also check the collector status to see if it shows errors
happening when you send in these events.

Next I would be sure time was synchronized everywhere, and that Sentinel
was NOT set to Trust Event Source Time since that can have impact on the
ability to find events. If time is off, the events end up outside the
window you expect or choose (default window is one hour in the past) which
means searching does not find what is there.

Finally, the ultimate way to know if it is being filtered by the collector
(or earlier) is to use the debugger. Stop the collector, put it in Debug
mode, hit the Play button once, set breakpoints on the sendEvent() line
(or something like that), set a few more breakpoints where things error
out (catch{} block around sendEvent()), hit Play again, start the event
source node in ESM, send an event, then figure it out. Use a File
connector with your connector (not collector) dump in order to make this a
bit simpler since the events you want are right there and processed very
quickly.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to debug universal syslog events not making it into Sentinel?

Aaron,

Am 15.03.2016 um 13:56 schrieb ab:
> I would probably check the Collector Manager (CM) log file first, just in
> case something is erroring and shows up in there.


Will check.


> I would also check the collector status to see if it shows errors
> happening when you send in these events.


No obvious errors there.

> Next I would be sure time was synchronized everywhere, and that Sentinel
> was NOT set to Trust Event Source Time


Time is ok, and it's not trusten the source anyways. I've also searched
byond the one hour (atually, even any data), and it's not there.

>
> Finally, the ultimate way to know if it is being filtered by the collector
> (or earlier) is to use the debugger. Stop the collector, put it in Debug
> mode, hit the Play button once, set breakpoints on the sendEvent() line
> (or something like that), set a few more breakpoints where things error
> out (catch{} block around sendEvent()), hit Play again, start the event
> source node in ESM, send an event, then figure it out. Use a File
> connector with your connector (not collector) dump in order to make this a
> bit simpler since the events you want are right there and processed very
> quickly.
>


I'll check that too, thanks.

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.