Hi,

I'm trying to build a new collector to collect logs from a flat file
stored locally on the Core. When I build and deploy the collector, I'm
getting no logs collected however in raw-log view, I see logs coming but
not in Active View. Hopefully its a simple fix. Below are the
details:

Below is a copy of *"sample logs"*

12/06/2014 10:18:39 : duration 0m 3s : dfg : Backup failed. : Error:
unable to get the authorization token. Verify the username and password
and run the scripts again.
12/06/2014 10:18:49 : duration 1m 52s : admin : Backup complete. : The
backup file is located at:
/sentinel_backup/BACKUP/Sentinel_App/sentinel_bkp-06_12_2014.tar.gz
12/06/2014 10:42:16 : duration 0m 9s : df : Backup failed. : Error! The
backup file
/sentinel_backup/BACKUP/Sentinel_App/sentinel_bkp-06_12_2014.tar.gz
already exists.
12/06/2014 10:42:56 : duration 0m 3s : a : Backup failed. : Error:
unable to get the authorization token. Verify the username and password
and run the scripts again.
12/06/2014 10:43:08 : duration 0m 47s : admin : Backup complete. : The
backup file is located at:
/sentinel_backup/BACKUP/Sentinel_App/sentinel_bkp-06_12_2014.tar.gz
12/06/2014 10:45:28 : duration 0m 38s : admin : Backup complete. : The
backup file is located at:
/sentinel_backup/BACKUP/Sentinel_App/sentinel_bkp-06_12_2014.tar.gz


Below is a copy of *"regex"* for the sample logs above

(.*?)\s\:\s(duration.*?)\s\:\s(.*?)\s\:\s((.*?)\s\ :.*)



File "connectionMethods.xml" in the collector build ONLY has -"File
Connector"- as a connector


Below is a copy of *"Rec2Evt.map"* file:

~~Do not modify the first column~~
EventName,evt1
ExtendedInformation,ei1
Message,msg1
InitiatorUserName,sun1


Below is a copy of "release.js" - this is left at default settings (when
you create a new collector in SDK) with exception of
*-"Record.prototype.parse"-* modified. Had to remove comments from
release.js to fit the length of this post.



Collector.prototype.initialize = function(){

// The following parameters set some source-specific generic attributes
that help the Collector how to handle specific data types. You should
research
// how your event source handles these attributes, and set these
accordingly. If the situation is more complex than described using these
simple
// Boolean parameters, you may need to inject special handling into
your own code.

// This parameter specifies that the event source treats usernames (and
the domains/containers in which those usernames live) as
case-sensitive,
// i.e. the user Test1 is different than the user test1. Sentinel
defaults to treating all names as case-sensitive, so if the source
system is not
// we have to do special processing (the names are universally
lowercased) to ensure that correlation can properly match across
events.
this.CONFIG.params.usernameIsCaseSensitive = true;

// This parameter specifies that the event source treats data object
names (files, paths, etc) as case-sensitive,
// i.e. the file FILE.TXT is different than the file file.txt. Sentinel
defaults to treating all names as case-sensitive, so if the source
system is not
// we have to do special processing (the names are universally
lowercased) to ensure that correlation can properly match across
events.
this.CONFIG.params.datanameIsCaseSensitive = true;

// This parameter specifies that the event source treats hostnames (and
the domains in which those hosts live) as case-sensitive,
// i.e. the host myHOST is different than the user MYhost. Sentinel
assumes that all hostnames are NOT case-sensitive, since that's the DNS
// standard, but you can override that default behavior by setting this
parameter to true.
this.CONFIG.params.hostnameIsCaseSensitive = false;

// This parameter specifies that the event source reports a UTC
timestamp in its events. Sentinel stores all timestamps as UTC, so this
inhibits
// timezone conversion for this source. Whether or not the source
reports UTC, if it actually resides in a timezone other than UTC the
source must
// either include timezone information in the event, or the customer
must manually specify a timezone for the Event Source node in Event
Source
// Manager. In either case that information will be used to calculate
the "local time" ObserverTZ fields.
instance.CONFIG.params.reportsUTC = false;


// Example code to define a parser that can determine the latest offset
from new records
// Use this for DATABASE sources (see SQLQuery class)
this.PARSER.getOffsetData = function(input){
// parser code, like "return input.RXMap.col_AutoID"
}
conn.addParser(this.PARSER.getOffsetData);

// Example code to load standard syslog maps - use this for SYSLOG
sources
this.MAPS.syslogSev = new KeyMap(this.CONFIG.collDir +
"syslog_severity.map");
this.MAPS.syslogFac = new KeyMap(this.CONFIG.collDir +
"syslog_facility.map");

return true;
};

/**
* Cleans up the environment when the Collector is stopped.
* Use this method to shut down or close any external connections
necessary when the Collector is
* stopped. This is rarely necessary as most ESM components already shut
down on their own.
* @return void
*/
Collector.prototype.cleanup = function(){
return true;
};

Connector.prototype.sendQuery = function(){
return true;
};

/**
* The preParse() method should be used to perform preliminary data
* cleaning prior to the main parsing step.
* For example, you might need to strip end-of-record characters,
replace unsafe
* characters, check to make sure you have a full record, filter out
certain events, etc.
* You should also check for error conditions coming back from the
Connector, which are
* typically recorded in rec.connErr.
* <p>Example:
* <code>
* // Note: not an example of usage, but of implementation:
* Record.prototype.preParse = function(e) {
* if( rec.connErr != "" ) { return false; }
* this.replace(/\n/, ""));
* return true;
* }
* </code>
* @param {Event} e The current instance of the output event, this is
in
* general not used directly but is provided for reference or for
presetting fields.
* @return {Boolean} Whether the preParse() method completed without
errors.
*/
Record.prototype.preParse = function(e){
if (this.CONNECTION_ERROR != null || typeof this.RXMap ==
"undefined") { return false; }

// Example code on some standard syslog-style parsing
if (this.CONNECTION_METHOD == "SYSLOG" && this.CONNECTION_MODE ==
"map") {
// We can pre-set certain fields - we will do this directly
against
// the Event object, even though this is in general bad
practice
e.ReporterIP = this.s_SyslogRelayIp;
if (this.s_MessageOriginatorHost.search(/\d+\.\d+\.\d+\.\d+/) !=
-1) {
e.ObserverIP = this.s_MessageOriginatorHost;
}
else {
e.ObserverHostName = this.s_MessageOriginatorHost;
}
e.Severity =
instance.MAPS.syslogSev.lookup(this.i_syslog_sever ity);
e.ObserverServiceComponent =
instance.MAPS.syslogFac.lookup(this.i_syslog_facil ity);
// use the below logic for below 6r5 syslog connector
this.syslogMsg = this.s_RXBufferString.parseSyslog();
e.setObserverEventTime(this.syslogMsg.date);
this.s_RXBufferString = this.syslogMsg.message;
}
return true;
};


/**
* The parse() method is used to perform the main parsing on the input
* record. The focus here should be to break the input up into small
* data units that can be easily mapped to the Sentinel event structure
* in the convert() method.
* <p>Example:
* <code>
* // Note: not an example of usage, but of implementation:
* Record.prototype.parse = function(e) {
* this.inpArray = [];
* this.inpArray = this.safesplit(",");
* return true;
* }
* </code>
* @param {Event} e The current instance of the output event; this is
in
* general not used directly but is provided for reference or for
presetting fields.
* @return {Boolean} Whether the parse() method completed without
errors.
*/
Record.prototype.parse = function(e){


if
(/^(.*?)\s\:\s(duration.*?)\s\:\s(.*?)\s\:\s((.*?)\s \:.*)/.test(this.s_raw_message2))
{




var ei1, sun1, msg1, evt1;

ei1= RegExp.$2;
sun1 = RegExp.$3;
msg1 = RegExp.$4;
evt1 = RegExp.$5;

// }



// parsing logic goes here

// if (false) { // set SEND_EVENT to true if your parsing logic
worked correctly
// instance.SEND_EVENT = true;
// }
// If you can't parse...
// rec.sendUnsupported();
// return true;
};


Record.prototype.normalize = function(e){
return true;
};

Record.prototype.postParse = function(e){
return true;
};

Record.prototype.reply = function(e){
return true;
};





Please help.....


--
pimpalp
------------------------------------------------------------------------
pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=51209