000031710 - Security Analytics Log Collection - Fixing WLS multiline logging that causes problems with filereader

• Security Analytics 10.5.1

1 - Oracle WebLogic server sometimes split logs intoto two lines with EOL as LF for each.

#### Audit Record Begin <05.07.2012 9:31:38> <Severity =INFORMATION> <<<Event Type = RoleManager Audit Event ><Subject: 0 LF
><<jndi>><type=<jndi>, application=, path={weblogic}, action=lookup><>>> Audit Record End #### LF

2 - In /etc/netwitness/ng/logcollection/content/collection/file/oracleweblogic.xml  the delimiter found is #### 
3 - In /etc/netwitness/ng/envision/etc/devices/oracleweblogic/v20_oracleweblogicmsg.xml one of the headers expected is as below, which is different than the log message.

content="%OracleWebLogicAR-4: #### Audit Record Begin <<<hfld1> <hfld2>, <hfld3> <hfld4> <hfld5>> <<Severity =<hfld6>> <<<<<<Event Type = <messageid> <hfld7>> <!payload:hfld1>" />

1. A work around can be to save the logs in a temporary directory, this can be done from the Agent SFTP shell script.
2. Run a cron job to run the following GNU sed one liner, on the files created in the temp directory, then take these files back to the filereader upload directory.
3. This sed one liner will turn the multiline logs into single line each to parsed normally.
4. The sed one liner to remove the LF at the EOL is as below

cat /tmp/file1 | sed -n -e "H;\${g;s/\n//g;p}" | sed 's/End ####/End ####\n/g' | sed 's/\tPrincipal/ Principal/g'

• Oracle WLS logging can be changed, usually using the Log4j as here