enVision not parsing sudosh
I've been wrestling with getting something parsed for a while now and I just can't seem to wrap my head around the problem.
Here's the thing: we audit admins by using sudosh. As far as I know, this does not get parsed by enVision, so we used ESI to parse. The log comes in the same syslogstream, so I want to modify the original Solaris XML to also parse the sudosh messages.
I ran sendunknownmessages for the past 10 days and went about parsing. We updated ESI to the same scheme as our enVision, with the ESU -esi-install flag. Now, the logfile parses fine in ESI, has no datapattern warnings and everything is how it should be. When I copy the XML file to the enVision (an ES), it simply refuses to parse the log. It still comes out as an unknown message and it doesn't show up in a query.
Could you guys please have a look and what's wrong? I've added a scrubbed bit of log and the XML I created, the messages I added are at the bottom.
Bert, as trivial as it seems, I have to ask... did you restart the NIC Services (Collector, Packager, Locator, Server, and Web Server) after installing the new XML?
Did you remove the original unknown device before trying to rediscover?
Matt, I even restarted the whole appliance, just to be sure (it's for testing purposes). I did not however remove the device; it is not unknown, because it is a normal Solaris box. Is it needed to remove an entire device and let it enVision rediscover it to let the modifications I make work?
thanks for the quick reply btw ).
No, you should not have to remove a known device type as long as at least one of the headers matched the undefined messages prior to adding your new messages to the XML.
I will take a look at this and see what I find.
Having some technical difficulties accessing my appliance at the moment, but the XML looks absolutely fine.
I will modify the device IP in your scrubbed logs to match an existing Solaris system I have loaded in enVision and try to inject your logs to it once I have access again.