Error Parsing Header
I'm trying to use ESI on log messages from a Breach Web Defend WAF. I cant figure out what I'm doing wrong. Every time I try to use ESI I get an "Error Parsing Header" error. I just wanted to get my feet wet here so i kept it simple by grabbing the 3 messages below. For "MessageID" I added "Successful" and "login" to form "Successful_login" but that's where it seems to be failing.
Anyone have any ideas? If I can't something this simple to work I'm doomed.
Mar 31 09:11:47 [10.107.0.215] Mar 31 09:11:46 10.107.0.215 Successful login 22.214.171.124 USA 90201 0 GET brand=null Informative 200 /wps/myportal/
Mar 31 09:11:52 [10.107.0.215] Mar 31 09:11:52 10.107.0.215 Successful login 126.96.36.199 USA 90201 0 GET brand=null Informative 200 /wps/myportal/
Mar 31 09:11:57 [10.107.0.215] Mar 31 09:11:56 10.107.0.215 Successful login 188.8.131.52 USA 90201 0 GET brand=null Informative 200 /wps/myportal/
I tried with your logs and able to create header (i randomly assigned Router device class, you can chose as you want). Have a look at the attached XML. Let us know what was going wrong in your environment?
You can try and open this XML in ESI and run thru it in EDIT mode (right click on header in tree view) to see how assignments were made.
Wow....after trying your XML file it still failed.
Turns out that I had to run ESI with an account that is workstation admin??????
After doing a "Run As" and using my admin account it's working perfectly. I had no idea that I would need admin rights to run this.
@ norriscrThanks for posting this. I've been struggling with similar issues for the past 2 days and couldn't figure out what had happened to my headers that worked before. It would even fail on events that enVision was properly parsing. I just remembered that we removed my local admin privileges from my workstation earlier this week.
When I run ESI as a local admin, it parses the headers and messages properly.