RSA Admin

Adiscon Event Reporter and Hyper-V

Discussion created by RSA Admin Employee on Dec 19, 2011
Latest reply on Dec 22, 2011 by RSA Admin

Hi, I am having a problem configuring Adiscon Event Reporter to send Hyper-V logs to enVision.
enVision receives the Hyper-V messages but messages are not parsed and they are going to class undefined.

I have tested following compinations:


Adiscon Syslog processing: Use legacy RFC 3164 processing Adiscon

Message format: [%level%] %timegenerated%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Message in enVision: Dec 01 10:17:10 DOMAIN-machine1.domain.local EvntSLog: [Error] 2011-12-01 08:17:11: NT AUTHORITY\NETWORK SERVICE/DOMAIN-machine1.domain.local/Microsoft-Windows-Hyper-V-VMMS (16370) - "'DC21' cannot create the storage required for the snapshot D:\Virtual\DC0_D938D5C8-539E-447B-8F99-A89C8028EC5E.avhd: The system cannot find the file specified. (0x80070002). (Virtual machine ID 7DCCBC24-8586-40D7-AG9F-8A3211F7319925)"

------------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: [%level%] %timegenerated%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of

-----------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: %sourceproc% [%level%] %timegenerated%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and one variable added after EvntSLog: string

-----------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: [%level%] %timegenerated:::uxTimeStamp%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and second time is in unix format

----------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: %sourceproc% [%level%] %timegenerated:::uxTimeStamp%: %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and one variable added after EvntSLog: string and second time is in unix format

--------------------

Adiscon Syslog processing: Use Custom Syslog header: %source% %syslogtag%:

Adiscon Message format: %sourceproc% [%level%] %timegenerated% %user%/%source%/%sourceproc% (%id%) - "%msg%"

Note: first time stamp is ripped of and one variable added after EvntSLog: string and : removed after "timegenerated" variable.


None of these have resulted that the enVision has been able to parse the message!!
Could someone help me with this.

Server: Windows2008R2
Log: Hyper-V Adiscon
version: Adiscon Event Reporet 12.0

Outcomes