Can ESI parse using default XML like Oracle?
We are trying to track down a discrepency with some parsing and not sure if ESI can correctly parse a log file based on using a "default" XML from RSA, like the Oracle XML.
Can someone please validate if this is possible?
It loads the XML in ESI, but fails to parse messages which we feel are properly parsed in the enVision app (GUI) including reports and queries.
We are copying the syslog Oracle data from Event Viewer into a unx file, which I believe is completely valid for this task.
I test .unx files against default XMLs on a fairly regular basis, so yes, it is absolutely possible to do.
I would not, however, recommend just using a copy & paste of log files from the Event Viewer screen.
Use lsdata from the command line to dump the logs you want to test.
Like Matt mentioned I would use the LSdata command and get what is needed, then use it against the Oracle XML. when you get to the point where it asks for the log file, put the file from the LSdata in. It will ask if you got the logs from the LSdata command, click yes. Once that is complete click on Select Event button, a pop-up window come up click an event.
Now this next part will show you what column the data is parsed into and if the data you are looking for is not parsed into a variable you will see it. Up on the top of the ESI page you will see REPORT > Event Analysis > Selected Events. The pop-up window will show up ; click on an event that may not be parsed correctly and click generate report. You will see all the data parsed out, and some of the data may be in the Fields columns (Fld1, Fld2,Fld3). That is the data that is not reported on, you can change that column to any varible you want.
If you need more detail i can do a powerpoint and upload it if you want.
Thanks, but there is no header. I'm now more perplexed than ever on how our Oracle is successfully parsing. Below is an example line which successfully parses (we have an old "ESU" from 2008) in our Reports and via Query tool.
Has anyone here actually tried using ESI to parse an ODBC based log such as Oracle?
EDIT: I think I just realized something important - does lsdata support exporting ODBC data so it can be parsed like this? Do I use "-d 0" or some other option?
Now, the weird thing is that this entry does fully parse with a "oracle_custom" device xml that we made IF I CHANGE ORACLE-101 to ORACLE_LOGON-101, which uses the same table as oracle. But this device is set to be a Oracle device. This log line below does not parse against ANY XML (using our old one, our custom one or the newest Oracle one)
Does anyone see or understand the issue?
Nov 04 22:04:27 [10.1.1.1] %ORACLE-101: 10.2.0.3.0,-,hostname1,-,DBNAME,-,-,48424513,1,1,2010-11-04 21:50:07,USR,hostname2,unknown,101,0,(null),(null),(null),(null),(null),(null),(null),(null),25313563,24715,325213,0,2010-11-04 21:50:07,Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.1.1.2)(PORT=64824)),(null),unsername,(null),(null),(null),5,59376
The issue here is the position of the headers. I move Header 1 and 2 around. When you had :
as the first one the XMl was looking for the level along with the MessageID.
<HEADER id1="0002" id2="0002" content="%ORACLE-<level>-<messageid>: <!payload>"/>
Your example only had a MessageID. So you need to move the headers around so that the XML will try the shorter header first, then if it would not work then it will go on to the next one.
Check out the attacked it will show the error from the orginal xml.
Switch the headers like below and then try again.
rwengewicz is right.
My XML looks like this and is parsing correctly with ESI:
rwengewicz - Thanks for showing that. That still means it can't properly parse with the default XML I'm guessing since the fields will be off. But now, does it parse against a specific message when header 002 is used? Which one? I know the header alone is insufficient for parsing of course.
As far as I know this is a default message format.
So why would I need to reorder the headers to test this?