RSA Admin

enVision not parsing sudosh

Discussion created by RSA Admin Employee on Jul 13, 2011
Latest reply on Jul 21, 2011 by RSA Admin

Hi everyone,

 

I've been wrestling with getting something parsed for a while now and I just can't seem to wrap my head around the problem.

 

Here's the thing: we audit admins by using sudosh. As far as I know, this does not get parsed by enVision, so we used ESI to parse. The log comes in the same syslogstream, so I want to modify the original Solaris XML to also parse the sudosh messages.

 

I ran sendunknownmessages for the past 10 days and went about parsing. We updated ESI to the same scheme as our enVision, with the ESU -esi-install flag. Now, the logfile parses fine in ESI, has no datapattern warnings and everything is how it should be. When I copy the XML file to the enVision (an ES), it simply refuses to parse the log. It still comes out as an unknown message and it doesn't show up in a query.

 

Could you guys please have a look and what's wrong? I've added a scrubbed bit of log and the XML I created, the messages I added are at the bottom.

Outcomes