Hello Everybody!

I would like to ask some questions about creating a collector. I
modified the Apache Agent (utility) to tail -F logfile_path | awk
'{print($0); fflush()}' | $SOCAT_BIN -d -u - $SOCAT_OPTIONS & to send
the logfile to the Sentinel. I will check, but the point is that it
transfer the lines.
The Collector look for a Matching rule and I saw it in the debugger and
also in the Sentinel web interface that I got the event/logfile. I also
see in the debugger that the s_RXBufferString is exists. So I have to
use the safesplit or split methods on this.s_RXBufferString, right? Or
Should I use //.exec()? Or it is totally up to me to use whatever I
If I saw it right, the /()()/.exec() makes/eval the regex and We got
RegExp.$1-$9. If I use the /()()/.test() it will just give me wether the
result of the regex is true or false. Right?
When is it allowed to use field assignment (e.InitiatorUserName =
What is the effect when I put the instance.SEND_EVENT into an another
function for example normalize()? Or it is still OK to put elsewhere the
send_event untill it is in one of the preparse(),parse(),normalize()
Do I have to create a variable like var empty_str or it is enough to do
the this.emptry_str? The preparse(),parse(),normalize() are prototype
javascript function so if I read it well, it is ok to use
this.empty_str. Or will the this.empty_str dissappear after it jumps to
the next function (because of the scope)?
How can I decide when to use RXMapp and when s_RXBufferString? What if I
don't see the s_Body, but have s_RXBufferString? I know that
s_RXBufferString is line-oriented, but is i possible that my syslog/file
data will be in the RXMap?
What if i set the this.dun="testuser"; and in the Rec2Evt.map I add the
UserTargetName,dun pair? It should be always present the TargetUserName
when I look it in the Sentinel web interface, right?
Are there any other source to learn how to create collector?

Thank you for your answers!

woodspeed's Profile: https://forums.netiq.com/member.php?userid=7232
View this thread: https://forums.netiq.com/showthread.php?t=51349