Anonymous_User Absent Member.
Absent Member.
361 views

changeing Event time to Observer time


Hello,

in our DB2 connector we fetch only twice a day the information form the
audit db due to performance issues.
As soon the next collector run is started the audit events from the
database are parsed and stored into sentinel - but with the runtime of
the Collector and not the date the audit line occured in the db.
The ObserverEventTime is correctly set, but not the date you can see in
the search result.
How could I change this.? We are using JDBC-Connectors.
I am new in programming - I know to that I have to change realease.js
but this does not work:

Code:
--------------------
this.evtDate = this.RXMap.TIMESTAMP;
--------------------

or

Code:
--------------------
this.severity = instance.MAPS.sevMap.lookup(this.status);
var dt = this.RXMap.TIMESTAMP;
dt = dt.substring(0, 10) + " " + dt.substring(11, 19)
dt = dt.replace(/-/g, "/");
dt = dt.replace(/\./g, ":");
e.setDeviceEventTime(new Date(dt));
e.setEventTime(new Date(dt));
--------------------


We would also like to change some field like it works in the file
connector:

Code:
--------------------
this.RXMap.TIMESTAMP = values[0];
this.RXMap.EVENT = values[1]
this.RXMap.DATABASE = values[2];
this.RXMap.CATEGORY = "EXECUTE";
this.RXMap.USERID = values[4];
this.RXMap.AUTHID = values[5];
this.RXMap.APPID = values[6];
this.RXMap.APPNAME = values[7];
this.RXMap.PKGNAME = values[8];
this.RXMap.STMTTEXT = values[9];
this.RXMap.ROWSMODIFIED = values[10];
this.RXMap.ROWSRETURNED = values[11];
this.RXMap.STATUS = values[12];
--------------------

But in connection method DATABASE these fields are undefined. Adding
some field to the extendInfo-field works, see:

Code:
--------------------
e.add2EI("Category", "EXECUTE");
e.add2EI("Database", this.RXMap.DATABASE.trim());
e.add2EI("AuthID", this.RXMap.AUTHID.trim());
e.add2EI("AppID", this.RXMap.APPID.trim());
e.add2EI("AppName", this.RXMap.APPNAME.trim());
e.add2EI("PkgName", this.RXMap.PKGNAME.trim());
e.add2EI("StmtText", this.RXMap.STMTTEXT.trim());
e.add2EI("RowsModified",this.RXMap.ROWSMODIFIED.toString());
e.add2EI("RowsReturned",this.RXMap.ROWSRETURNED.toString());
e.add2EI("Status", this.RXMap.STATUS.toString());
--------------------

Adding them to the normal fields---how could these be done?

Thanks foor helping - Torsten


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=52820

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: changeing Event time to Observer time

First, for your collector customization (vs. configuration) questions you
will probably find better help in the Plugin SDK forum, which is devoted
to issues about collector customization.

On 02/13/2015 04:34 AM, tfechner wrote:
>
> in our DB2 connector we fetch only twice a day the information form the
> audit db due to performance issues.
> As soon the next collector run is started the audit events from the
> database are parsed and stored into sentinel - but with the runtime of
> the Collector and not the date the audit line occured in the db.
> The ObserverEventTime is correctly set, but not the date you can see in
> the search result.
> How could I change this.? We are using JDBC-Connectors.
> I am new in programming - I know to that I have to change realease.js
> but this does not work:


No, you should not need to. If you modify the collector node's properties
you should be able to set an option 'Trust Event Source Time' which
basically causes the DeviceEventTime, or the time coming from the device
assuming there is one, to be used for the EventTime on the event. This
option is meant to do exactly what I believe you are after without any
collector customization.

> Code:
> --------------------
> this.evtDate = this.RXMap.TIMESTAMP;
> --------------------
>
> or
>
> Code:
> --------------------
> this.severity = instance.MAPS.sevMap.lookup(this.status);
> var dt = this.RXMap.TIMESTAMP;
> dt = dt.substring(0, 10) + " " + dt.substring(11, 19)
> dt = dt.replace(/-/g, "/");
> dt = dt.replace(/\./g, ":");
> e.setDeviceEventTime(new Date(dt));
> e.setEventTime(new Date(dt));
> --------------------


Without setting Trust Event Source Time none of these will work, as far as
I know. That's fine, though, as normally you should not be changing the
release.js of a shipping collector. If this is a custom collector
(created from the SDK then the rules change a little as you are not
worried about support of a shipping collector.

> We would also like to change some field like it works in the file
> connector:
>
> Code:
> --------------------
> this.RXMap.TIMESTAMP = values[0];
> this.RXMap.EVENT = values[1]
> this.RXMap.DATABASE = values[2];
> this.RXMap.CATEGORY = "EXECUTE";
> this.RXMap.USERID = values[4];
> this.RXMap.AUTHID = values[5];
> this.RXMap.APPID = values[6];
> this.RXMap.APPNAME = values[7];
> this.RXMap.PKGNAME = values[8];
> this.RXMap.STMTTEXT = values[9];
> this.RXMap.ROWSMODIFIED = values[10];
> this.RXMap.ROWSRETURNED = values[11];
> this.RXMap.STATUS = values[12];
> --------------------


When you post to the Plugin SDK forum, it may be helpful to include what
is in the values array. Also, if you already have the desired values in
an array, then setting the RXMAP object is not necessary as you can just
set the final targets for the data instead using the code below. The
column values are placed in the RXMAP for convenience by the
connector/collector (I do not know which technically, but it does not
matter) so that you can get those values and store them in event fields.
You can do that without using RXMAP in the middle and probably improve
performance a little by setting values once instead of twice.

> But in connection method DATABASE these fields are undefined. Adding
> some field to the extendInfo-field works, see:
>
> Code:
> --------------------
> e.add2EI("Category", "EXECUTE");
> e.add2EI("Database", this.RXMap.DATABASE.trim());
> e.add2EI("AuthID", this.RXMap.AUTHID.trim());
> e.add2EI("AppID", this.RXMap.APPID.trim());
> e.add2EI("AppName", this.RXMap.APPNAME.trim());
> e.add2EI("PkgName", this.RXMap.PKGNAME.trim());
> e.add2EI("StmtText", this.RXMap.STMTTEXT.trim());
> e.add2EI("RowsModified",this.RXMap.ROWSMODIFIED.toString());
> e.add2EI("RowsReturned",this.RXMap.ROWSRETURNED.toString());
> e.add2EI("Status", this.RXMap.STATUS.toString());
> --------------------
>
> Adding them to the normal fields---how could these be done?


You will probably want to include which Sentinel fields should be targets
for which data coming from the 'values' array when you post this in the
Plugin SDK area. Essentially it should look like this syntactically:


e.Message = values[0];
e.cv100 = values[1];
e.dun = values[2];


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: changeing Event time to Observer time


You should probably read or re-read
https://www.novell.com/developer/plugin-sdk/collectors.html, some of the
things you ask are in there.
Changing the time of an event is not a good thing. There are two times
associated with an event.
The event time, the time sentinel receives the event, and the device
event time, the time the event actually happened.
Leave the event time alone, if you mess with this all kind of things
could go wrong. Correlation rules are no longer applied, on disk all
kind of weird files are created, just don't do it. It will work in the
end but better is to use the device event time.
Best way to set the device event time is by this code:
e.setObserverEventTime(DateTime.parseExact(this.RXMap.col_DATE,"yyyy-MM-dd
HH:mm:ss"));
This is one of the quickest way to set the date in a way you control the
format.

If you leave the eventsource on the defaults the columns are mapped
automatically in this.RXMap.col_<column_name>
Be aware that if you have spaces or special characters it will be
this.RXMap["col_<column_name"]

Putting them in the 'right' fields can be done in several ways.
You can use the e.<exact sentinel field name> = value;
For the exact sentinel field name use this
schema(https://www.novell.com/developer/plugin-sdk/event_schema.html)
and use the name in the column Label.
Best way is to open the Rec2Evt.map and put as first column the exact
sentinel field name,value
Value can be the field name without this. or you can set a direct value
with quotes around it
So to set the InitiatorUserName with the value of column USERID you put:
InitiatorUserName,RXMap.col_USERID in the Rec2Evt.map

At last, when you develop a database collector be aware of the offset.
Change the following code:
this.PARSER.getOffsetData = function(input){
// parser code, like "return input.RXMap.col_AutoID"
return input.RXMap.col_SEQ_NUMBER;
}

And use in your sqlquery.base file something like:
SELECT *
FROM
<table>
WHERE
SEQ_NUMBER > %s
ORDER BY SEQ_NUMBER ASC
AND ROWNUM <= %d

Hope this helps,
Anco


--
jcvader1
------------------------------------------------------------------------
jcvader1's Profile: https://forums.netiq.com/member.php?userid=502
View this thread: https://forums.netiq.com/showthread.php?t=52820

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.