This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
ScottPause
Beginner
Beginner
‎2010-11-10 10:04 AM

Can ESI parse using default XML like Oracle?

We are trying to track down a discrepency with some parsing and not sure if ESI can correctly parse a log file based on using a "default" XML from RSA, like the Oracle XML.

 

Can someone please validate if this is possible?

 

It loads the XML in ESI, but fails to parse messages which we feel are properly parsed in the enVision app (GUI) including reports and queries.

 

We are copying the syslog Oracle data from Event Viewer into a unx file, which I believe is completely valid for this task.

0 Likes
Reply
7 Replies
RSAAdmin
Beginner
Beginner
‎2010-11-12 09:02 AM

I test .unx files against default XMLs on a fairly regular basis, so yes, it is absolutely possible to do.

 

I would not, however, recommend just using a copy & paste of log files from the Event Viewer screen. 

 

Use lsdata from the command line to dump the logs you want to test.

0 Likes
Reply
RobertWengewicz
Beginner
Beginner
‎2010-11-12 10:16 AM

Scott,

      Like Matt mentioned I would use the LSdata command and get what is needed, then use it against the Oracle XML. when you get to the point where it asks for the log file, put the file from the LSdata in. It will ask if you got the logs from the LSdata command, click yes. Once that is complete click on  Select Event button, a pop-up window come up click an event.

 

Now this next part will show you what column the data is parsed into and if the data you are looking for is not parsed into a variable you will see it. Up on the top of the ESI page you will see REPORT > Event Analysis > Selected Events. The pop-up window will show up ; click on an event that may not be parsed correctly and click generate report. You will see all the data parsed out, and some of the data may be in the Fields columns (Fld1, Fld2,Fld3). That is the data that is not reported on, you can change that column to any varible you want.

 

If you need more detail i can do a powerpoint and upload it if you want.

 

Bob

0 Likes
Reply
DusanTomic
Beginner
Beginner
‎2010-11-18 07:18 AM

Try commenting out the first header.

0 Likes
Reply
ScottPause
Beginner
Beginner
In response to DusanTomic
‎2010-11-19 10:48 AM

Thanks, but there is no header.  I'm now more perplexed than ever on how our Oracle is successfully parsing.  Below is an example line which successfully parses (we have an old "ESU" from 2008) in our Reports and via Query tool.

 

Has anyone here actually tried using ESI to parse an ODBC based log such as Oracle?  

 

EDIT:  I think I just realized something important - does lsdata support exporting ODBC data so it can be parsed like this?  Do I use "-d 0"  or some other option?

 

Now, the weird thing is that this entry does fully parse with a "oracle_custom" device xml that we made IF I CHANGE ORACLE-101 to ORACLE_LOGON-101, which uses the same table as oracle.  But this device is set to be a Oracle device.  This log line below does not parse against ANY XML (using our old one, our custom one or the newest Oracle one)

 

Does anyone see or understand the issue?

 

Nov 04 22:04:27 [10.1.1.1] %ORACLE-101: 10.2.0.3.0,-,hostname1,-,DBNAME,-,-,48424513,1,1,2010-11-04 21:50:07,USR,hostname2,unknown,101,0,(null),(null),(null),(null),(null),(null),(null),(null),25313563,24715,325213,0,2010-11-04 21:50:07,Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.1.1.2)(PORT=64824)),(null),unsername,(null),(null),(null),5,59376

0 Likes
Reply
RobertWengewicz
Beginner
Beginner
In response to ScottPause
‎2010-11-22 04:07 PM

The issue here is the position of the headers. I move Header 1 and 2 around. When you had :

as the first one the XMl was looking for the level along with the MessageID.

<HEADER id1="0002"  id2="0002" content="%ORACLE-&lt;level&gt;-&lt;messageid&gt;: &lt;!payload&gt;"/>

 

Your example only had a MessageID. So you need to move the headers around so that the XML will try the shorter header first, then if it would not work then it will go on to the next one.

 

Check out the attacked it will show the error from the orginal xml.

Switch the headers like below and then try again.

<HEADER
  id1="0001"
  id2="0001"
  content="%ORACLE-&lt;messageid&gt;: &lt;!payload&gt;"/>


<HEADER
  id1="0002"
  id2="0002"
  content="%ORACLE-&lt;level&gt;-&lt;messageid&gt;: &lt;!payload&gt;"/>

 

 

Bob

Preview file
37 KB
0 Likes
Reply
DusanTomic
Beginner
Beginner
In response to RobertWengewicz
‎2010-11-25 01:34 PM

 rwengewicz is right.

 

My XML looks like this and is parsing correctly with ESI:

 

<HEADER
        id1="0002"
        id2="0002"
        content="%ORACLE-&lt;messageid&gt;: &lt;!payload&gt;"/>

    <HEADER
        id1="0001"
        id2="0001"
        content="%ORACLE-&lt;level&gt;-&lt;messageid&gt;: &lt;!payload&gt;"/>
   

0 Likes
Reply
ScottPause
Beginner
Beginner
In response to RobertWengewicz
‎2010-11-30 09:50 AM

rwengewicz - Thanks for showing that.  That still means it can't properly parse with the default XML I'm guessing since the fields will be off.   But now, does it parse against a specific message when header 002 is used?   Which one?  I know the header alone is insufficient for parsing of course.

 

 As far as I know this is a default message format.

 

So why would I need to reorder the headers to test this? 

 

Thanks,

Scott

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.