000031710 - Security Analytics Log Collection - Fixing WLS multiline logging that causes problems with filereader

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031710
Applies To
  • Security Analytics 10.5.1

1 - Oracle WebLogic server sometimes split logs intoto two lines with EOL as LF for each.

#### Audit Record Begin <05.07.2012 9:31:38> <Severity =INFORMATION> <<<Event Type = RoleManager Audit Event ><Subject: 0 LF
><<jndi>><type=<jndi>, application=, path={weblogic}, action=lookup><>>> Audit Record End #### LF

2 - In /etc/netwitness/ng/logcollection/content/collection/file/oracleweblogic.xml  the delimiter found is #### 
3 - In /etc/netwitness/ng/envision/etc/devices/oracleweblogic/v20_oracleweblogicmsg.xml one of the headers expected is as below, which is different than the log message.

content="%OracleWebLogicAR-4: #### Audit Record Begin &lt;&lt;&lt;hfld1&gt; &lt;hfld2&gt;, &lt;hfld3&gt; &lt;hfld4&gt; &lt;hfld5&gt;&gt; &lt;&lt;Severity =&lt;hfld6&gt;&gt; &lt;&lt;&lt;&lt;&lt;&lt;Event Type = &lt;messageid&gt; &lt;hfld7&gt;&gt; &lt;!payload:hfld1&gt;" />

Cause - Oracle WLS logs are sometimes modified into different formats other than the standard.
  1. A work around can be to save the logs in a temporary directory, this can be done from the Agent SFTP shell script.
  2. Run a cron job to run the following GNU sed one liner, on the files created in the temp directory, then take these files back to the filereader upload directory.
  3. This sed one liner will turn the multiline logs into single line each to parsed normally.
  4. The sed one liner to remove the LF at the EOL is as below
cat /tmp/file1 | sed -n -e "H;\${g;s/\n//g;p}" | sed 's/End ####/End ####\n/g' | sed 's/\tPrincipal/ Principal/g'

  • Oracle WLS logging can be changed, usually using the Log4j as here