Unable to generate any meaningful reports out of the Solaris server logs
We have roughly 20 Solaris server logs integrated to envision. For some reason, we are unable to generate any meaningful reports using the built-in reports that comes out of the box with envision.
Solaris servers are of v8, 9 and 10, although they are promptly sending the logs to envision. I think envision is not parsing the logs properly and therefore, unable to generate reports.
Btw, we did not completely follow the instructions as recommended by RSA for Solaris server integration as our UNIX administrators found it too comprehensive. I believe they configured the syslog.conf and couple of other files to syslog the events to envision ser ver collector IP. Is anyone else facing a similar issue?
Thanks in advance,
Start by looking at the analysis view. Do you see your Solaris logs showing up there?
If so, it might not be parsed correctly
Next check your XML file for Solaris. This will give you the order that the logs have to be in to get parsed correctly.
Compare these to what you see in the analysis
Next check your Unknown logs.
You can get this using the lsmaint program, and it might show you your missing solaris logs there.
The XML for Solaris needs to be in this order
Month, Day, Time, hostip, msgID part1, PID, ID, msgID part2, severitry, payload
You might have to configure the senders as per the RSA instructions
FYI. I didn't follow the installation for Adiscon Event Reporter for Windows and my machines showed up as Linux machines. It is very important to configure the senders correctly, since the XML used to parse the logs has a specific order to the information