AnsweredAssumed Answered

Log Parser file

Question asked by Sonam Singla on Mar 14, 2018
Latest reply on Mar 15, 2018 by Sonam Singla

Like • Show 0 Likes0
Comment • 5

Is there any documentation for understanding Log parser xml file.

E.g what is the meaning of missField, functions and how can we generate the same output means please tell me the steps in ESA tool so that while creating a parser I can make the changes and this is generated in xml file. I mean to say tagval, missField, functions.

<MESSAGE
id1="CISE_AD_Connector"
id2="CISE_AD_Connector"
eventcategory="########"
tagval="true"
missField="true"
functions="<@msg:*PARMVAL($MSG)><@:*SYSVAL($ID1)><@event_time:*EVNTTIME($HDR,'%W%G%F %H%U%O',hyear,hmonth,hday,hhour,hmin,hsec)><@timezone:*HDR(hfld8)><@hostname:*HDR(hnode)><@id:*HDR(hfld4)><@id1:*HDR(hfld5)><@id2:*HDR(hfld6)><@operation_id:*HDR(hfld10)><@severity:*HDR(hseverity)><@category:*HDR(hfld11)><@event_description:*HDR(hevent_description)>"
content="AD-Domain=<domain>, AD-Domain-Controller=<ac>, AD-IP-Address=<hostip>, AD-Log-Id=<li>, AD-Site=<as>,AD-Trusted-Domain=<at>,AD-Forest=<af>,AD-Error-Details=<result>,AD-Account-Name=<username>,AD-Hostname=<hostname>,AD-Srv-Query=<an>,AD-Srv-Record=<am>"/>

No one else has this question

Outcomes

David Waugh Mar 14, 2018 8:14 AM

Tagval means that the message is made up of a=1, b=2,c=3 type values.

missField means that if one or more of these entries is missing then it will still parse.

Eg this parser will work on

a=1,c=3

b=2,c=3

a=1

type messages.

Actions

Dave Glover

Mar 14, 2018 9:18 AM

Let me add a little more on to what David had said

Tagval is a special function that allows the parser to parse key value pair messages.

For example: user=bob, ip=1.2.3.4, host=globalDC

We could very easily create a standard parser for the above, however with some devices they may not send the "ip" key if there is no value. If that was the case you would get:

user=bob, host=globalDC.

If the above case, using a standard parser, the message would not parse as it is missing "ip="

If we use the Tagval function we get two benefits.

1. The Keys can be missing or not.

2. the Keys can come in any order.

There is one issue however.. The parser has to be built for all possible keys that are sent.

So in our above example-- if we send more keys that what was defined, such as --

user=bob, ip=1.2.3.4, host=globalDC, location=USA

That message would not parse as we have no definition for "location="

By adding the flag of "missfields" This allows the parser to skip over "location=" and still parse the message. The "location=" will no go anywhere, and it will no parse.

The right thing to do is to build the parser with all possible variations. The missfields is a stop gap until you can.

Hope that helps

Dave

2 people found this helpful

Actions

David Waugh @ Dave Glover on Mar 14, 2018 11:36 AM

Thanks Dave! Your answer was much more complete!

Actions

Sonam Singla @ David Waugh on Mar 15, 2018 1:03 AM

Thanks David and Dave, need some more clarification on functions variable and also key-value checkbox is disabled in ESI tool, how to enable that. Please explain functions variable meaning as well. Any documentation on understanding xml parser.

Actions

Sonam Singla @ Sonam Singla on Mar 15, 2018 6:58 AM

Also let me know how to edit existing parser as it is not giving option to edit the message.

Actions

5 Replies

David Waugh Mar 14, 2018 8:14 AM
Mark Correct
Correct Answer
Tagval means that the message is made up of a=1, b=2,c=3 type values.
missField means that if one or more of these entries is missing then it will still parse.

Eg this parser will work on
a=1,c=3
b=2,c=3
a=1

type messages.
Like • Show 0 Likes0
Actions
Dave Glover Mar 14, 2018 9:18 AM
Mark Correct
Correct Answer
Let me add a little more on to what David had said

Tagval is a special function that allows the parser to parse key value pair messages.

For example: user=bob, ip=1.2.3.4, host=globalDC

We could very easily create a standard parser for the above, however with some devices they may not send the "ip" key if there is no value. If that was the case you would get:

user=bob, host=globalDC.

If the above case, using a standard parser, the message would not parse as it is missing "ip="

If we use the Tagval function we get two benefits.

1. The Keys can be missing or not.
2. the Keys can come in any order.

There is one issue however.. The parser has to be built for all possible keys that are sent.

So in our above example-- if we send more keys that what was defined, such as --

user=bob, ip=1.2.3.4, host=globalDC, location=USA

That message would not parse as we have no definition for "location="

By adding the flag of "missfields" This allows the parser to skip over "location=" and still parse the message. The "location=" will no go anywhere, and it will no parse.

The right thing to do is to build the parser with all possible variations. The missfields is a stop gap until you can.

Hope that helps

Dave
2 people found this helpful
Like • Show 1 Like1
Actions
- David Waugh @ Dave Glover on Mar 14, 2018 11:36 AM
  Mark Correct
  Correct Answer
  Thanks Dave! Your answer was much more complete!
  Like • Show 0 Likes0
  Actions
  - Sonam Singla @ David Waugh on Mar 15, 2018 1:03 AM
    Mark Correct
    Correct Answer
    Thanks David and Dave, need some more clarification on functions variable and also key-value checkbox is disabled in ESI tool, how to enable that. Please explain functions variable meaning as well. Any documentation on understanding xml parser.
    Like • Show 0 Likes0
    Actions
    - Sonam Singla @ Sonam Singla on Mar 15, 2018 6:58 AM
      Mark Correct
      Correct Answer
      Also let me know how to edit existing parser as it is not giving option to edit the message.
      Like • Show 0 Likes0
      Actions

Log Parser file

Outcomes

Related Content

Recommended Content