CRYPTO-4-PKT_REPLAY_ERR syslog parsing
Every time ios generates the "CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed" log msg I receive 3 syslog messages, like ios is not concatenating them into 1 msg string before sending. It's really annoying because I can't filter a null string that also has a null message type on my nms. I tried changing the facility settings and get the same result. If i use TCL to filter the syslog msg by type "CRYPTO-4-PKT_REPLAY_ERR" it will only filter the 1st syslog message since the types on the other 2 msgs are null.
I can't find a bug or discussion about this so I am hoping somebody out there might have a solution ...
DEVICE INFO:
c3825-advipservicesk9-mz.124-25b.bin
logging buffered 15000 debugging
logging rate-limit all 3
no logging console
no logging monitor
crypto logging session
logging origin-id hostname
logging facility syslog
logging source-interface GigabitEthernet0/0
logging 11.22.33.44
FROM LOGGING BUFFER:
Dec 14 08:00:37 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:00:37 CST Wed Dec 14 2011
#1>> Dec 14 08:01:41 CST: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
#2>> connection id=70, sequence number=43990
#3>>
Dec 14 08:10:36 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:10:36 CST Wed Dec 14 2011
THREE SYSLOG MSG's RECEIVED:
#1
MSG TYPE: CRYPTO-4-PKT_REPLAY_ERR
MSG STRING: 7015321: routerA: decrypt: replay check failed
#2
MSG TYPE: null
MSG STRING: 7015322: routerA: connection id=70, sequence number=43990
#3
MSG TYPE: null
MSG STRING: 7015323: routerA:
Every time ios generates the "CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed" log msg I receive 3 syslog messages, like ios is not concatenating them into 1 msg string before sending. It's really annoying because I can't filter a null string that also has a null message type on my nms. I tried changing the facility settings and get the same result. If i use TCL to filter the syslog msg by type "CRYPTO-4-PKT_REPLAY_ERR" it will only filter the 1st syslog message since the types on the other 2 msgs are null.
I can't find a bug or discussion about this so I am hoping somebody out there might have a solution ...
DEVICE INFO:
c3825-advipservicesk9-mz.124-25b.bin
logging buffered 15000 debugging
logging rate-limit all 3
no logging console
no logging monitor
crypto logging session
logging origin-id hostname
logging facility syslog
logging source-interface GigabitEthernet0/0
logging 11.22.33.44
FROM LOGGING BUFFER:
Dec 14 08:00:37 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:00:37 CST Wed Dec 14 2011
#1>> Dec 14 08:01:41 CST: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
#2>> connection id=70, sequence number=43990
#3>>
Dec 14 08:10:36 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: johndoe] [Source: 1.2.3.4] [localport: 22] at 08:10:36 CST Wed Dec 14 2011
THREE SYSLOG MSG's RECEIVED:
#1
MSG TYPE: CRYPTO-4-PKT_REPLAY_ERR
MSG STRING: 7015321: routerA: decrypt: replay check failed
#2
MSG TYPE: null
MSG STRING: 7015322: routerA: connection id=70, sequence number=43990
#3
MSG TYPE: null
MSG STRING: 7015323: routerA:
Similar Messages
-
%CRYPTO-4-PKT_REPLAY_ERR:
I have been seeing the following error message in the logs for a few days now.
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=4587, sequence number=17094
I managed to track down the connection id:4587 and I can see the peer IP with the actual recv errors. There is no issues with the VPN itself, traffic is working fine.
I have tried to increase the actual window size under the specific crypto map for that particular peer and it makes no difference. Even cleared the sa after applying the changes.
crypto map xxxxxxxxx 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
security-association replay window-size 1024
Have increased the replay window globally to 1024 however the errors keep appearing.
crypto ipsec security-association replay window-size 1024
Has anyone actually disabled the replay window checking? did it impact anything?
crypto ipsec security-association replay disable
no crypto ipsec security-association replay window-size 1024
does it actually stop the replay_errors?
or to stop these errors do you need to change the hash algorithm from sha instead of md5?Adam,
I don't have a resolution yet, so I opened a TAC case last Saturday. I'll keep you posted on this forum. -
Frequent %CRYPTO-4-PKT_REPLAY_ERR: log messages
Hi All,
I get following log message on my spoke 881 router from time to time.
For instance today I got 80 messages like this.
Frequent %CRYPTO-4-PKT_REPLAY_ERR: log messages
This is dual hub DMVPN connectivity and both tunnels are stable during the day and EIGRP never dropped.
User behind this router also never complained. They run mainly voip traffic and I have QoS both on HUB and Spokes defined under tunnel as qos-preclassify and policy-map is applied on the physical interface.
I have also increased replay window size up to 1024, but it did not help.
Wondering what else can be done here.
IOS ver both on spokes and hub is 15.2.3(T3)Don't know where they came from, but you could turn on debugging ipsec and isakmp to see if there is a relation with other events like rekeying.
Michael
Please rate all helpful posts -
CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
Center router is cisco 7300 :
Cisco IOS Software, 7301 Software (C7301-ADVIPSERVICESK9-M), Version 15.1(4)M2
branch router is cisco1900:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
one branch router use EZVPN to connect the Center router .
branch router logg :
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
and 10% lose packets .
but other branch use EZVPN to connect the Center router , is OK :
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
What can do for this issue ?
Should I change the cisco1900 IOS to the 12.4 as the same as cisco880 ?Hi Anuj
Thanks for your reply.
Yes , the issue happens frequently , and lost packets . The log happand every 3 minutes.
As I am not in charge the router in branch , I can not change the hardware accelerator.
I have change the windows-size to 1024 in the branch router , but the issue is as befroe .
Here is the show crypto ipse sa and the whole error message:
sh crypto ipsec sa
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 519, #pkts encrypt: 519, #pkts digest: 519
#pkts decaps: 665, #pkts decrypt: 665, #pkts verify: 665
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: , remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x550C1C42(1426857026)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x38F532D7(955593431)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2091, flow_id: Onboard VPN:91, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4561181/3566)
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550C1C42(1426857026)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2092, flow_id: Onboard VPN:92, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4561911/3566)
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Dec 20 01:34:32.656: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=91, sequence number=12353
Dec 20 01:39:06.552: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=91, sequence number=18191
Dec 20 01:40:38.532: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=91, sequence number=20363
Dec 20 01:43:05.856: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=91, sequence number=23609 -
I have a pair of 3945E routers I use as redundant VPN head-ends in our data center and numerous 2901 and one 2951 used as spoke routers. Each of the spokes is connected to the 3945's over VTI tunnels three and four. We regularly see replay errors occur, but this morning, we had it get disruptive enough on one of the tunnels on the 2951 where we were experienced 80 to 90 percent packet loss across that one tunnel. This caused an outage which I was only able to rectify by shutting down the tunnel interface on each router and bringing them back up, thus resetting the SA.
I'm needing to understand how to reduce or completely eliminate the replay errors. I've read something about increasing the replay window size, but don't have a clue where to start. What is the best way to fix this without disabling replay checking? Or, since the VPN head-ends and spoke routers only have static routes established across the Internet to each other, is replay checking even necessary or desired?
Thanks in advance!
Paul WIshartAdam,
I don't have a resolution yet, so I opened a TAC case last Saturday. I'll keep you posted on this forum. -
"Crypto replay check failed" errors
Hey folks,
I have a site-to-site IPSEC VPN using 2 catalyst 6500's running IOS 12.2(18)SXD7b on each end.
After reviewing the syslog files this morning, I noticed that for the last 4 days at approximately the same time each nite, my router reports this error:
Local7.Warning: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
The error reporting tool on cisco.com says this error is benign, but does not give much info or troubleshooting tips. I've double checked my configuration and everything looks fine. Have you guys seen this before? Any tips?
Thanks,
SMHi Steve, check this link if it can help you:
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K07229553
Regards,
Ricardo -
Can anyone tell me was this error means? We are running encrypted GRE tunnels router to router. AES 256
Apr 4 16:09:41.349 EDT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=7357, sequence number=1860336HTH
I am not seeing a lot of these. I will keep an eye on it though.
Thank you
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Doug Bradfield
Network Analyst Ld
TSYS Network Services / Network Engineering
706-644-3559
From: rburts
To: Douglas Bradfield ,
Date: 04/07/2012 04:15 PM
Subject: - Re: Crypto error
Home
Re: Crypto error
created by Richard Burts in VPN - View the full discussion
Douglas
As part of the IPSec implementation of the encrypted GRE tunnel it checks
on packets received to make sure that it has not seen that packet before.
In this case it believes that it has seen this packet before. It looks
like, for some reason, something along the path has re-transmitted this
packet. I see this kind of message with some frequency and as long as
there are not a lot of them I do not think that it is a big problem. Are
you seeing a few or a lot of these?
HTH
Rick
Reply to this message by going to Home
Start a new discussion in VPN at Home -
Problem : tcl script for filter IPSec cosmetic log
Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
See my detail of script and ios version of router :
script :
# VPN_Error.tcl This script deletes all log messages about VPN error messages
# The script will filter by combination between facility-serverity and mnemonic
# Created on 05-Oct-2012.
set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
foreach msg $msgs {
if { $msg == $fac_sev_mnem } {
return ""
return $::orig_msg
ios router version :
: c2800nm-adventerprisek9-mz.124-25f.bin
: c2800nm-adventerprisek9-mz.124-7b.bin
log information and configuration
When I applied command:
logging filter flash:VPN_Filter2.tcl
logging buffered filtered 4096 debugging
show log file:
router#sh logg
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering enabled)
Console logging: level debugging, 18145 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 428 messages logged, xml disabled,
filtering disabled
Logging to: vty322(2)
Buffer logging: level debugging, 0 messages logged, xml disabled,
filtering enabled (0 messages logged)
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Filter modules:
flash:VPN_Filter2.tcl
Trap logging: level informational, 47011 message lines logged
Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
filtering disabled
Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
filtering disabled
Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
filtering disabled
--More--
Log Buffer (4096 bytes):
router#
If you have some more information. Please tell me.
Thank you for your adviceIt looks like your script has an error. You have an extra '}'. It should be:
# VPN_Error.tcl This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs { if { $msg == $fac_sev_mnem } { return "" } } return $::orig_msg -
Is QOS causing IPSEC replay errors?
Should there be a "service-policy" command on the outbound interface when using the "qos pre-classify" under the crypto map?
I have several point-to-point links that use both the qos pre-classify and the service-policy on the interface, and all those links generate %CRYPTO-4-PKT_REPLAY_ERR errors under load.
Other links that only encrypt are not getting the %CRYPTO-4-PKT_REPLAY_ERR errors under load.
The documentation for QOS and VPN: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ac4.html
Only states to use the "qos pre-classify" ???
I believe the packets are going through the QOS process twice. Once before encryption, and then again afterward resulting in the resequencing.Hi,
IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
HTH,
-Kanishka -
3030 Concentrator Site to Site
Trying to setup L2L VPN. Once the L2L is enabled, does it attempt to connect immediately? Also, how can I view the logs to see what is successful/failing on this or any other VPN connection.
Thank you.You need to generate traffic requiring crypto protection (defined by your crypto ACL) in order to initiate the negotiation of an ISAKMP SA, which will establish a secure channel through which IPSec SAs will be negotiated.
Don't have access to a 3030 Concentrator, but on an IOS system you'd check status with:
show crypto isakmp sa detail
show crypto ipsec sa detail
Perhaps, log crypto sessions in syslog with:
crypto logging session
... and perhaps:
deny ip any any log
... as the last ACE in interface ACLs to identify configuration errors, and the presence of traffic that violates security policy. -
Collector Rule stays with the same Description after "fast" generated Events - (Custom MP)
Hi , I have a problem to customize one management pack
I use this MP for a reference
http://windowsmasher.wordpress.com/2011/02/07/monitoring-esxi-syslogs-with-opsmgr-2007-r2/
The problem is when I generate event (they are syslog events) the description Data is all the same for some time :)
For example if I generate 10 events fast , the description is all the same , but the data inside is different. MP should take XML element with Powershell script and it's working fine for a "slow" published events.
I don't know why only the description data is the same . I tried to modify the script to NULL the $bag variable and $xmlMessage but without any luck.
Any help will be appreciated
I'm trying to build SYSLOG parser to visualize my data and eventually to do some reports.Still having a problem? Can you explain a little more what the issue is? Are you saying the event collection provider does not work correctly when there is a burst of events matching your criteria?
Jonathan Almquist | SCOMskills, LLC (http://scomskills.com) -
Syslog Collector w/ File Connector Parsing Issue
Dear all,
Recently, I had a requirement from a customer.
They have various Linux systems. They want to pass all syslog to
sentinel, but not by syslog connector for some reasons.
Therefore, they throw us those syslog in text file, and ftp it for
sentinel reading.
The problem is that this.RXBufferstring could not be 100% parsed in all
kinds of messages. Sometimes there would be error.
But when they use Syslog connector. Every event fields seem to be parsed
correctly.
So is there any methods to use syslog collector w/file connector
correctly?
Or how do people handle this kind of problem?
Please assist. Thanks a lot.
andy_ho
andy_ho's Profile: https://forums.netiq.com/member.php?userid=4568
View this thread: https://forums.netiq.com/showthread.php?t=51453On 08/01/2014 04:26 AM, andy ho wrote:
>
> Dear all,
>
> Recently, I had a requirement from a customer.
>
> They have various Linux systems. They want to pass all syslog to
> sentinel, but not by syslog connector for some reasons.
> Therefore, they throw us those syslog in text file, and ftp it for
> sentinel reading.
>
> The problem is that this.RXBufferstring could not be 100% parsed in all
> kinds of messages. Sometimes there would be error.
> But when they use Syslog connector. Every event fields seem to be parsed
> correctly.
>
> So is there any methods to use syslog collector w/file connector
> correctly?
> Or how do people handle this kind of problem?
No supported way, no. The testing between collector and connector is done
so that certain methods are easy, reliable, and supported. Just because
data are grabbed from one media (network, syslog specifically) and written
to another (file) does not mean that nothing else is changed, and the
syslog collectors may be assuming other properties (such as the event
source IP address) are there when they are not.
You can probably make this work, but you'll likely need to customize the
collector in order to do it. The alternative is to use the debugging
feature of the collector to find out what is wrong with certain events and
possibly modify them on the event source side. Either way, you're going
to have a scenario that is not supported so it may be worth revisiting the
requirement to use a file vs. syslog just in case support matters more
than the "for some reasons" that they want to go with a file.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
CiscoWorks LMS 4.1, syslog analyzer parsing non-Cisco device.
Hello.
Can Syslog Analyzer parse syslog messages coming from a Non-Cisco device?
I'm trying to parse message from a HP Virtual Connect module without success.
Thanks.
AndreaHi Andrea,
You could use syslog-ng to write a generic mnemonic into the message and forward it to LMS.
Something like:
syslog-ng->add fac-sev-mne: message->lms
However, I would also caution you that LMS is *not* meant to be a "syslog" manager - there are usually way to many syslog messages in most environments for it to handle that many - which is why most syslog managers are standalone servers.
In order to make sure that the NMS systems that syslog-ng forward messages to receive the correct source, syslog-ng needs to be compiled with the source spoof option. This will allow messages received on other NMS’s (such as LMS) to appear to come from the original devices rather than from the syslog-ng server.
Compiling from source:
Install the syslog-ng prerequisites from Balabit
You must configure syslog-ng with --enable-spoof-source in order to enable the spoof source feature (which is disabled by default).
./configure --enable-spoof-source
make && make install
If you run into any issues during the installation, you can refer to the syslog-ng forum or you can refer to the syslog-ng knowledge base
Lastly, here's a great paper on syslog management:
Building Scalable Syslog Management Solutions -
Hello,I have started using new syslog feature on my PMS 11.31. Do You have any expirience with parsig logs for SIEM? I am using IBM Qradar and it looks like I will have to parse information collected from Fsecure logs manualy. Do You have any xml file prepared which could help me with that?
Qradar DSM for F-secure would be ideal.Hi there,
The Connector behavior is documented in detail in the Connector manual,
I believe. My understanding is that the Connector tries to identify
"new" event sources based on the *content* of inbound messages - so in
your example above, it would detect a new source labeled 192.168.30.40.
In this case it actually doesn't matter if the data was actually being
sent from some other IP address - the Connector cares about the IP
address in the syslog header. If, however, the message was sent from IP
A and no syslog header was present at all (e.g. the message started with
"A new user..."), then per the RFC the Syslog Connector would inject the
syslog header and identify a new source with IP A.
So one possibility is that the second time you tried this, you sent
data from a different IP address. Also, the Connector doesn't correlate
IPs/hostnames, so if you sent data with the hostname in the header
instead of the IP, that would also be seen as a new source.
I'd check these basics first, and if that still doesn't resolve the
issue we'll dig deeper.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=446501 -
RSA ACE server SYSLOG collector, Parsing help!
Hi Board.
I am in a very big hurry for developing a RSA ACE collector script. The
already released RSA ACE Collector script is file based and the RSA ACE
server can dump a CSV log report with an interval of a hour as the
fastest possible interval. This is not at all satisfying for the
customer which - due to the latest issue with hacking attacks on EMC's
network both announced in the press and by letter from EMC and to their
customers - is not at all acceptable. They need to have logic for
pattern searches and correlation rules that can respond as close to real
time as possible.
We have with success and without any troubles or big efforts installed
the SNARE agent on the RSA ACE Appliance box. We are receiving the
events from the RSA server correctly (or we are receiving the events as
unsupported events because the events is not parsed correctly, but all
the needed information is there) and I have started development of a new
Collector script based on the Generic Event Collector (Just
doubleclicked on New Collector script in the Ant menu).
So far I have tryed some different approaches. I know that I can totaly
manipulate with the events received from the Source because I can
pre-set values via the protoEvt.map file. Even further have I been able
to set some other values in the Parse function by using the rec2Evt.map
and then hardcode a value to the desired field by using
rec.-input_record_field-.
Therefor I am pretty convinced that I am on the right track.
Now here is my question:
Based on this copy-pasted s_RXBufferString value (IP addresses and
host+domain values changed for protecting the customer):
Code:
Mar 26 05:48:12 192.168.1.100 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617
*NB!* Swap out [tab] with tablulator delimiter!
I have tryed this approach (this is the entire Parse Functiomn):
Code:
var ValueArray = this.s_RXBufferString.split("\\t");
rec.msg = this.s_RXBufferString;
var SourceInfo = ValueArray[0];
rec.sun = ValueArray[1];
//e.InitServiceName = ValueArray[1];
//rec.Service = ValueArray[1];
//e.EventTime = ValueArray[5];
//rec.EvtTime = ValueArray[5];
//e.VendorEventCode = ValueArray[6];
rec.evtCode = ValueArray[6];
e.DeviceName = ValueArray[7];
rec.sun = ValueArray[8];
//e.EffectiveUserID = ValueArray[8];
//var OSInitUser = ValueArray[8];
//e.InitHostName = ValueArray[11];
rec.shd = ValueArray[11];
//ValueArray[12] = ValueArray[12].ltrim();
var AppSpecificMessage = '';
for(var t = 12; t<count(ValueArray); t+1)
AppSpecificMessage += ValueArray[t];
//e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");
var A = AppSpecificMessage.search('\(.+\)');
//e.EventName = 'Debugging RSA';
//e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();
AppSpecificMessage = AppSpecificMessage.match('\(.+\)');
// var B = AppSpecificMessage.search(')');
//var B = AppSpecificMessage.search(')');
// var BaseInfo = AppSpecificMessage.substring(A+1,B-1);
// var BaseTmpArray = BaseInfo.split(';');
// var BaseArray = new Array();
/*for(var i = 0; i<count(BaseTmpArray); i+1)
var str = BaseTmpArray[i].ltrim();
var TempAr = str.split(':');
BaseArray.push(TempAr[1].substring(1,-1));
/*var AgentArr = BaseArray[6].split(".");
AgentArr.reverse();
AgentArr.pop();
AgentArr.reverse();
e.InitHostDomain = AgentArr.join(".");
//rec.InitDomain = AgentArr.join(".");
e.InitHostDomain = "corp.ad.local";
if (ValueArray[10] == "Information")
rec.sev = "0";
//e.Severity = "0";
else if (ValueArray[10] == "Warning")
rec.sev = "3";
//e.Severity = "3";
else if (ValueArray[10] == "Error")
rec.sev = "4"
//e.Severity = "4";
else
rec.sev = "1";
//e.Severity = "1";
//e.InitUserID = BaseArray[0];
rec.LoginName = BaseArray[0];
//e.InitUserName = BaseArray[1];
rec.UserName = BaseArray[1];
//e.customerVar35 = BaseArray[2];
//rec.Token = BaseArray[2];
//e.customerVar36 = BaseArray[5];
//rec.Agent = BaseArray[5];
instance.SEND_EVENT = true;
// parsing logic goes here
/*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
instance.SEND_EVENT = true;
// If you can't parse...
//rec.sendUnsupported();
return true;
But it just laughs at me and wont work. It states that there is a
parsing error: match function something with input.
Can you please help me build a logic that will work as intended? It
should be clear what information or which piece of the text that I try
map to which Event fields (look at the outcommented bits right above or
below the ones that point to a rec.something because there I have tryed
just map the information directly).
kkrasmussen
kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=435715> - I'm not sure I understand why you replace the tabs with '|' just to do
> the split; why can't you just split on tab? You can also investigate our
> 'safesplit()' method, which understands quoted delimited strings:
> Novell Login
> (not sure that's necessary in this case)
I replaced the tabs with '|' foir easier regex searchess for both
numbers, alphanummeric and spaces in same match cases - but with the
opportunity to index better for those searches because I did not need to
worry about the tabs being recognised as whitespaces anymore.
The safesplit works fine with '|' but not for this one:
Code:
var AppSpecificArray = AppSpecificMessage.safesplit(";");
It reports that: "Cannot find function safesplit".
If I change that to:
Code:
var AppSpecificArray = AppSpecificMessage.split(/\;/);
It reports that: "Cannot find function split".
> - The 'substring()' method is defined as taking two arguments:
> from Required. The index where to start the extraction. First character
> is at index 0
> to Optional. The index where to stop the extraction. If omitted, it
> extracts the rest of the string
> Neither of those two arguments will *ever* be negative - they always
> count from the beginning of the string. What you're really trying to do
> is to extract the substring from the beginning +1 character, to the end
> -2 characters, which is not how substring() works. But you *can* do
> something like:
> this.evt = Msg.substring(1,Msg.length - 2);
>
Aha I see. Thanks for the info. However, I tried the suggested this.evt
= Msg.substring(1,Msg.length - 2); but it reports: Cannot call method
"substring" of null. Remember that I have already testet and verified
that I do have a value in the Msg variable.
Here is the newest code. Please notice that I have outcommented the
desired "result" and is just trying to get something from at least the
part of the string that I want to parse.
Code:
this.msg = this.s_raw_message2;
var TempTxt = this.s_raw_message2.replace(/\t/g,"|");
var ValueArray = TempTxt.safesplit("|");
var SourceInfo = ValueArray[0];
this.evtCode = ValueArray[6];
this.sip = TempTxt.match(/\d+\.\d+\.\d+\.\d+/);
e.DeviceName = ValueArray[7];
//AppSpecificMessage = TempTxt.match(/(?:\().+(?:\))/);
var Msg = ValueArray[14].match(/(?:\|)[^\|]+(?:\()/);
this.evt = Msg.substring(1,Msg.length - 2);
//this.evt = Msg;
AppSpecificMessage = ValueArray[14].match(/(?:\().+(?:\))/);
if (ValueArray[10] == "Information")
this.sev = "0";
else if (ValueArray[10] == "Warning")
this.sev = "3";
else if (ValueArray[10] == "Error")
this.sev = "4"
else
this.sev = "1";
if(TempTxt.match(/(?:Login:\')\S+(?:')/) != false)
//var apptemp = AppSpecificMessage.substring(1,AppSpecificMessage. length - 1);
//var AppSpecificArray = apptemp.safesplit(";");
var AppSpecificArray = AppSpecificMessage.safesplit(";");
for(var c = 0; c<count(AppSpecificArray); c + 1)
var key = AppSpecificArray[c].split(/:/);
if (key[0] == "(Login")
if (key[1] == "''")
this.iuid = ValueArray[8];
else
this.iuid = key[1];
//this.iuid = key[1].substring(1,key[1].length - 1);
if (key[0] == " User Name")
if (key[1] == "''")
this.sun = "System";
else
this.sun = key[1];
//this.sun = key[1].substring(1,key[1].length - 1);
if (key[0] == " Agent Host")
if (key[1] == "'')")
this.shd = "Unknown Host Domain";
else
//var TempArr = key[1].substring(1,key[1].length - 1).safesplit(".");
var TempArr = key[1].plit(/\./);
TempArr.reverse();
TempArr.pop();
TempArr.reverse();
this.shd = TempArr.join(".");
if (key[0] == " Token")
if (key[1] != "''")
e.CustomerVar35 = key[1];
//e.CustomerVar35 = key[1].substring(1,key[1].length - 1);
else
this.shd = "Unknown Host Domain";
this.iuid = ValueArray[8];
this.sun = "System";
instance.SEND_EVENT = true;
return true;
kkrasmussen
kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=435715
Maybe you are looking for
-
Iphone responses not showing up in email conversations in Lion Mail
Not sure if this is built in or if I have the right settings for this with my gmail account but when I respond to an email from my iPhone, it doesn't show up as part of a conversation in Lion's Mail. Shouldn't it?
-
Linked Image file path cleanup
Regex frustrates me, especially with trying to work with slashes... I just haven't got it yet. I'm looking just for a code snippet to thrown in another clean up script I use. To standardize to UNC, as some templates were created on workstaions (also
-
Hi, when I make a syntax check on my Idoc segment '/FIT/E1FISFIINV' I get the error message: Entries for segment '/FIT/E1FISFIINV' missing in the 'Segment structures' table. I can't delete the segment type as I get the error message Segment /FIT/E1F
-
Enqueue/Dequeue - Locking/Unlocking object
Hi all, Please help me working with this enqueue/dequeue command. What I'm trying to do is to lock a Service Order. My requirement is to do a BDC for the Service Order Settlement Rule. So after hitting SAVE, a secondary process will be kicked off to
-
Content Server HTTP error: 405 Method Not Allowed in CSADMIN transaction
Hello, After installing the content server, when configuring in CSadmin transaction, when we try to save the new settings, I get the errror HTTP error: 405 Method Not Allowed. The operating system is W2008 R2 SP1. The storage type is filesystem, we d