CRYPTO-4-PKT_REPLAY_ERR syslog parsing

Similar Messages

• %CRYPTO-4-PKT_REPLAY_ERR:

  I have been seeing the following error message in the logs for a few days now.
  %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
          connection id=4587, sequence number=17094
  I managed to track down the connection id:4587 and I can see the peer IP with the actual recv errors. There is no issues with the VPN itself, traffic is working fine.
  I have tried to increase the actual window size under the specific crypto map for that particular peer and it makes no difference. Even cleared the sa after applying the changes.
  crypto map xxxxxxxxx 1 ipsec-isakmp
  set peer xxx.xxx.xxx.xxx
  security-association replay window-size 1024
  Have increased the replay window globally to 1024 however the errors keep appearing.
  crypto ipsec security-association replay window-size 1024
  Has anyone actually disabled the replay window checking? did it impact anything?
  crypto ipsec security-association replay disable
  no crypto ipsec security-association replay window-size 1024
  does it actually stop the replay_errors?
  or to stop these errors do you need to change the hash algorithm from sha instead of md5?

  Adam,
  I don't have a resolution yet, so I opened a TAC case last Saturday.  I'll keep you posted on this forum.

• Frequent %CRYPTO-4-PKT_REPLAY_ERR: log messages

  Hi All,
  I get following log message on my spoke 881 router from time to time.
  For instance today I got 80 messages like this.
  Frequent %CRYPTO-4-PKT_REPLAY_ERR: log messages
  This is dual hub DMVPN connectivity and both tunnels are stable during the day and EIGRP never dropped.
  User behind this router also never complained. They run mainly voip traffic and I have QoS both on HUB and Spokes defined under tunnel as qos-preclassify and policy-map is applied on the physical interface.
  I have also increased replay window size up to 1024, but it did not help.
  Wondering what else can be done here.
  IOS ver both on spokes and hub is 15.2.3(T3)

  Don't know where they came from, but you could turn on debugging ipsec and isakmp to see if there is a relation with other events like rekeying.
  Michael
  Please rate all helpful posts

• CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

  Center router is cisco 7300 :
  Cisco IOS Software, 7301 Software (C7301-ADVIPSERVICESK9-M), Version 15.1(4)M2
  branch router is cisco1900:
  Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
  one branch router use EZVPN to connect the Center router .
  branch router logg :
  %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
  and 10% lose packets .
  but other branch use EZVPN to connect the Center router , is OK :
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
  What can do for this issue ?
  Should I change the cisco1900 IOS to the 12.4 as the same as cisco880 ?

  Hi Anuj
  Thanks for your reply.
  Yes , the issue happens frequently , and lost packets  .  The log happand every 3 minutes.
  As I am not in charge the router in branch , I can not change the hardware accelerator.
  I have change the windows-size to 1024 in the branch router , but the issue is as befroe .
  Here is the show crypto ipse sa and the whole error message:
  sh crypto ipsec sa
  interface: Virtual-Access1
      Crypto map tag: Virtual-Access1-head-0, local addr 
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     current_peer                port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 519, #pkts encrypt: 519, #pkts digest: 519
      #pkts decaps: 665, #pkts decrypt: 665, #pkts verify: 665
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.:       , remote crypto endpt.:  
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0x550C1C42(1426857026)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x38F532D7(955593431)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2091, flow_id: Onboard VPN:91, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
          sa timing: remaining key lifetime (k/sec): (4561181/3566)
          IV size: 16 bytes
          replay detection support: Y  replay window size: 1024
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550C1C42(1426857026)
          transform: esp-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2092, flow_id: Onboard VPN:92, sibling_flags 80000046, crypto map: Virtual-Access1-head-0
          sa timing: remaining key lifetime (k/sec): (4561911/3566)
          IV size: 16 bytes
          replay detection support: Y  replay window size: 1024
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:
  Dec 20 01:34:32.656: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
          connection id=91, sequence number=12353
  Dec 20 01:39:06.552: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
          connection id=91, sequence number=18191
  Dec 20 01:40:38.532: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
          connection id=91, sequence number=20363
  Dec 20 01:43:05.856: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
          connection id=91, sequence number=23609

• %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1777, sequence number=161369

  I have a pair of 3945E routers I use as redundant VPN head-ends in our data center and numerous 2901 and one 2951 used as spoke routers.  Each of the spokes is connected to the 3945's over VTI tunnels three and four.  We regularly see replay errors occur, but this morning, we had it get disruptive enough on one of the tunnels on the 2951 where we were experienced 80 to 90 percent packet loss across that one tunnel.  This caused an outage which I was only able to rectify by shutting down the tunnel interface on each router and bringing them back up, thus resetting the SA.
  I'm needing to understand how to reduce or completely eliminate the replay errors.  I've read something about increasing the replay window size, but don't have a clue where to start.  What is the best way to fix this without disabling replay checking?  Or, since the VPN head-ends and spoke routers only have static routes established across the Internet to each other, is replay checking even necessary or desired?
  Thanks in advance!
  Paul WIshart

  Adam,
  I don't have a resolution yet, so I opened a TAC case last Saturday.  I'll keep you posted on this forum.

• "Crypto replay check failed" errors

  Hey folks,
  I have a site-to-site IPSEC VPN using 2 catalyst 6500's running IOS 12.2(18)SXD7b on each end.
  After reviewing the syslog files this morning, I noticed that for the last 4 days at approximately the same time each nite, my router reports this error:
  Local7.Warning: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
  The error reporting tool on cisco.com says this error is benign, but does not give much info or troubleshooting tips. I've double checked my configuration and everything looks fine. Have you guys seen this before? Any tips?
  Thanks,
  SM

  Hi Steve, check this link if it can help you:
  http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K07229553
  Regards,
  Ricardo

• Crypto error

  Can anyone tell me was this error means? We are running encrypted GRE tunnels router to router. AES 256
  Apr  4 16:09:41.349 EDT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
          connection id=7357, sequence number=1860336

  HTH
  I am not seeing a lot of these. I will keep an eye on it though.
  Thank you
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Doug Bradfield
  Network Analyst Ld
  TSYS Network Services / Network Engineering
  706-644-3559
  From: rburts
  To: Douglas Bradfield ,
  Date: 04/07/2012 04:15 PM
  Subject: - Re: Crypto error
  Home
  Re: Crypto error
  created by Richard Burts in VPN - View the full discussion
  Douglas
  As part of the IPSec implementation of the encrypted GRE tunnel it checks
  on packets received to make sure that it has not seen that packet before.
  In this case it believes that it has seen this packet before. It looks
  like, for some reason, something along the path has re-transmitted this
  packet. I see this kind of message with some frequency and as long as
  there are not a lot of them I do not think that it is a big problem. Are
  you seeing a few or a lot of these?
  HTH
  Rick
  Reply to this message by going to Home
  Start a new discussion in VPN at Home

• Problem : tcl script for filter IPSec cosmetic log

  Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
  See my detail of script and ios version of router :
  script :
  # VPN_Error.tcl  This script deletes all log messages about VPN error messages
  # The script will filter by combination between facility-serverity and mnemonic      
  # Created on 05-Oct-2012.
  set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
  set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
  foreach msg $msgs {
      if { $msg == $fac_sev_mnem } {
      return ""
  return $::orig_msg
  ios router version :
  : c2800nm-adventerprisek9-mz.124-25f.bin
  : c2800nm-adventerprisek9-mz.124-7b.bin
  log information and configuration
  When I applied command:
  logging filter flash:VPN_Filter2.tcl
  logging buffered filtered 4096 debugging
  show log file:
  router#sh logg
  Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                  0 flushes, 0 overruns, xml disabled, filtering enabled)
      Console logging: level debugging, 18145 messages logged, xml disabled,
                       filtering disabled
      Monitor logging: level debugging, 428 messages logged, xml disabled,
                       filtering disabled
          Logging to: vty322(2)
      Buffer logging: level debugging, 0 messages logged, xml disabled,
                      filtering enabled (0 messages logged)
      Logging Exception size (4096 bytes)
      Count and timestamp logging messages: disabled
  Filter modules:
      flash:VPN_Filter2.tcl  
      Trap logging: level informational, 47011 message lines logged
          Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
          Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
          Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
  --More--                          
  Log Buffer (4096 bytes):
  router#
  If you have some more information. Please tell me.
  Thank you for your advice

  It looks like your script has an error.  You have an extra '}'.  It should be:
  # VPN_Error.tcl  This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic       # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs {    if { $msg == $fac_sev_mnem } {        return ""    } } return $::orig_msg

• Is QOS causing IPSEC replay errors?

  Should there be a "service-policy" command on the outbound interface when using the "qos pre-classify" under the crypto map?
  I have several point-to-point links that use both the qos pre-classify and the service-policy on the interface, and all those links generate %CRYPTO-4-PKT_REPLAY_ERR errors under load.
  Other links that only encrypt are not getting the %CRYPTO-4-PKT_REPLAY_ERR errors under load.
  The documentation for QOS and VPN: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ac4.html
  Only states to use the "qos pre-classify" ???
  I believe the packets are going through the QOS process twice. Once before encryption, and then again afterward resulting in the resequencing.

  Hi,
  IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.
  http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
  HTH,
  -Kanishka

• 3030 Concentrator Site to Site

  Trying to setup L2L VPN. Once the L2L is enabled, does it attempt to connect immediately? Also, how can I view the logs to see what is successful/failing on this or any other VPN connection.
  Thank you.

  You need to generate traffic requiring crypto protection (defined by your crypto ACL) in order to initiate the negotiation of an ISAKMP SA, which will establish a secure channel through which IPSec SAs will be negotiated.
  Don't have access to a 3030 Concentrator, but on an IOS system you'd check status with:
  show crypto isakmp sa detail
  show crypto ipsec sa detail
  Perhaps, log crypto sessions in syslog with:
  crypto logging session
  ... and perhaps:
  deny ip any any log
  ... as the last ACE in interface ACLs to identify configuration errors, and the presence of traffic that violates security policy.

• Collector Rule stays with the same Description after "fast" generated Events - (Custom MP)

  Hi , I have a problem to customize one management pack
  I use this MP for a reference
  http://windowsmasher.wordpress.com/2011/02/07/monitoring-esxi-syslogs-with-opsmgr-2007-r2/
  The problem is when I generate event (they are syslog events) the description Data is all the same for some time :)
  For example if I generate 10 events fast , the description is all the same , but the data inside is different. MP should take XML element with Powershell script and it's working fine for a "slow" published events.
  I don't know why only the description data is the same . I tried to modify the script to NULL the $bag variable and $xmlMessage but without any luck.
  Any help will be appreciated
  I'm trying to build SYSLOG parser to visualize my data and eventually to do some reports.

  Still having a problem? Can you explain a little more what the issue is? Are you saying the event collection provider does not work correctly when there is a burst of events matching your criteria?
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Syslog Collector w/ File Connector Parsing Issue

  Dear all,
  Recently, I had a requirement from a customer.
  They have various Linux systems. They want to pass all syslog to
  sentinel, but not by syslog connector for some reasons.
  Therefore, they throw us those syslog in text file, and ftp it for
  sentinel reading.
  The problem is that this.RXBufferstring could not be 100% parsed in all
  kinds of messages. Sometimes there would be error.
  But when they use Syslog connector. Every event fields seem to be parsed
  correctly.
  So is there any methods to use syslog collector w/file connector
  correctly?
  Or how do people handle this kind of problem?
  Please assist. Thanks a lot.
  andy_ho
  andy_ho's Profile: https://forums.netiq.com/member.php?userid=4568
  View this thread: https://forums.netiq.com/showthread.php?t=51453

  On 08/01/2014 04:26 AM, andy ho wrote:
  >
  > Dear all,
  >
  > Recently, I had a requirement from a customer.
  >
  > They have various Linux systems. They want to pass all syslog to
  > sentinel, but not by syslog connector for some reasons.
  > Therefore, they throw us those syslog in text file, and ftp it for
  > sentinel reading.
  >
  > The problem is that this.RXBufferstring could not be 100% parsed in all
  > kinds of messages. Sometimes there would be error.
  > But when they use Syslog connector. Every event fields seem to be parsed
  > correctly.
  >
  > So is there any methods to use syslog collector w/file connector
  > correctly?
  > Or how do people handle this kind of problem?
  No supported way, no. The testing between collector and connector is done
  so that certain methods are easy, reliable, and supported. Just because
  data are grabbed from one media (network, syslog specifically) and written
  to another (file) does not mean that nothing else is changed, and the
  syslog collectors may be assuming other properties (such as the event
  source IP address) are there when they are not.
  You can probably make this work, but you'll likely need to customize the
  collector in order to do it. The alternative is to use the debugging
  feature of the collector to find out what is wrong with certain events and
  possibly modify them on the event source side. Either way, you're going
  to have a scenario that is not supported so it may be worth revisiting the
  requirement to use a file vs. syslog just in case support matters more
  than the "for some reasons" that they want to go with a file.
  Good luck.
  If you find this post helpful and are logged into the web interface,
  show your appreciation and click on the star below...

• CiscoWorks LMS 4.1, syslog analyzer parsing non-Cisco device.

  Hello.
  Can Syslog Analyzer parse syslog messages coming from a Non-Cisco device?
  I'm trying to parse message from a HP Virtual Connect module without success.
  Thanks.
  Andrea

  Hi Andrea,
  You could use syslog-ng to write a generic mnemonic into the message and forward it to LMS.
  Something like:
  syslog-ng->add fac-sev-mne: message->lms
  However, I would also caution you that LMS is *not* meant to be a "syslog" manager - there are usually way to many syslog messages in most environments for it to handle that many - which is why most syslog managers are standalone servers.
  In order to make sure that the NMS systems that syslog-ng forward messages to receive the correct source, syslog-ng needs to be compiled with the source spoof option. This will allow messages received on other NMS’s (such as LMS) to appear to come from the original devices rather than from the syslog-ng server.
  Compiling from source:
  Install the syslog-ng prerequisites from Balabit
  You must configure syslog-ng with --enable-spoof-source in order to enable the spoof source feature (which is disabled by default).
  ./configure --enable-spoof-source
  make && make install
  If you run into any issues during the installation, you can refer to the syslog-ng forum  or you can refer to the syslog-ng knowledge base
  Lastly, here's a great paper on syslog management:
  Building Scalable Syslog Management Solutions

• Syslog - log parsing

  Hello,I have started using new syslog feature on my PMS 11.31. Do You have any expirience with parsig logs for SIEM? I am using IBM Qradar and it looks like I will have to parse information collected from Fsecure logs manualy. Do You have any xml file prepared which could help me with that?
  Qradar DSM for F-secure would be ideal.

  Hi there,
  The Connector behavior is documented in detail in the Connector manual,
  I believe. My understanding is that the Connector tries to identify
  "new" event sources based on the *content* of inbound messages - so in
  your example above, it would detect a new source labeled 192.168.30.40.
  In this case it actually doesn't matter if the data was actually being
  sent from some other IP address - the Connector cares about the IP
  address in the syslog header. If, however, the message was sent from IP
  A and no syslog header was present at all (e.g. the message started with
  "A new user..."), then per the RFC the Syslog Connector would inject the
  syslog header and identify a new source with IP A.
  So one possibility is that the second time you tried this, you sent
  data from a different IP address. Also, the Connector doesn't correlate
  IPs/hostnames, so if you sent data with the hostname in the header
  instead of the IP, that would also be seen as a new source.
  I'd check these basics first, and if that still doesn't resolve the
  issue we'll dig deeper.
  DCorlette
  DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
  View this thread: http://forums.novell.com/showthread.php?t=446501

• RSA ACE server SYSLOG collector, Parsing help!

  Hi Board.
  I am in a very big hurry for developing a RSA ACE collector script. The
  already released RSA ACE Collector script is file based and the RSA ACE
  server can dump a CSV log report with an interval of a hour as the
  fastest possible interval. This is not at all satisfying for the
  customer which - due to the latest issue with hacking attacks on EMC's
  network both announced in the press and by letter from EMC and to their
  customers - is not at all acceptable. They need to have logic for
  pattern searches and correlation rules that can respond as close to real
  time as possible.
  We have with success and without any troubles or big efforts installed
  the SNARE agent on the RSA ACE Appliance box. We are receiving the
  events from the RSA server correctly (or we are receiving the events as
  unsupported events because the events is not parsed correctly, but all
  the needed information is there) and I have started development of a new
  Collector script based on the Generic Event Collector (Just
  doubleclicked on New Collector script in the Ant menu).
  So far I have tryed some different approaches. I know that I can totaly
  manipulate with the events received from the Source because I can
  pre-set values via the protoEvt.map file. Even further have I been able
  to set some other values in the Parse function by using the rec2Evt.map
  and then hardcode a value to the desired field by using
  rec.-input_record_field-.
  Therefor I am pretty convinced that I am on the right track.
  Now here is my question:
  Based on this copy-pasted s_RXBufferString value (IP addresses and
  host+domain values changed for protecting the customer):
  Code:
  Mar 26 05:48:12 192.168.1.100 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617
  *NB!* Swap out [tab] with tablulator delimiter!
  I have tryed this approach (this is the entire Parse Functiomn):
  Code:
  var ValueArray = this.s_RXBufferString.split("\\t");
  rec.msg = this.s_RXBufferString;
  var SourceInfo = ValueArray[0];
  rec.sun = ValueArray[1];
  //e.InitServiceName = ValueArray[1];
  //rec.Service = ValueArray[1];
  //e.EventTime = ValueArray[5];
  //rec.EvtTime = ValueArray[5];
  //e.VendorEventCode = ValueArray[6];
  rec.evtCode = ValueArray[6];
  e.DeviceName = ValueArray[7];
  rec.sun = ValueArray[8];
  //e.EffectiveUserID = ValueArray[8];
  //var OSInitUser = ValueArray[8];
  //e.InitHostName = ValueArray[11];
  rec.shd = ValueArray[11];
  //ValueArray[12] = ValueArray[12].ltrim();
  var AppSpecificMessage = '';
  for(var t = 12; t<count(ValueArray); t+1)
  AppSpecificMessage += ValueArray[t];
  //e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
  rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");
  var A = AppSpecificMessage.search('\(.+\)');
  //e.EventName = 'Debugging RSA';
  //e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
  rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();
  AppSpecificMessage = AppSpecificMessage.match('\(.+\)');
  // var B = AppSpecificMessage.search(')');
  //var B = AppSpecificMessage.search(')');
  // var BaseInfo = AppSpecificMessage.substring(A+1,B-1);
  // var BaseTmpArray = BaseInfo.split(';');
  // var BaseArray = new Array();
  /*for(var i = 0; i<count(BaseTmpArray); i+1)
  var str = BaseTmpArray[i].ltrim();
  var TempAr = str.split(':');
  BaseArray.push(TempAr[1].substring(1,-1));
  /*var AgentArr = BaseArray[6].split(".");
  AgentArr.reverse();
  AgentArr.pop();
  AgentArr.reverse();
  e.InitHostDomain = AgentArr.join(".");
  //rec.InitDomain = AgentArr.join(".");
  e.InitHostDomain = "corp.ad.local";
  if (ValueArray[10] == "Information")
  rec.sev = "0";
  //e.Severity = "0";
  else if (ValueArray[10] == "Warning")
  rec.sev = "3";
  //e.Severity = "3";
  else if (ValueArray[10] == "Error")
  rec.sev = "4"
  //e.Severity = "4";
  else
  rec.sev = "1";
  //e.Severity = "1";
  //e.InitUserID = BaseArray[0];
  rec.LoginName = BaseArray[0];
  //e.InitUserName = BaseArray[1];
  rec.UserName = BaseArray[1];
  //e.customerVar35 = BaseArray[2];
  //rec.Token = BaseArray[2];
  //e.customerVar36 = BaseArray[5];
  //rec.Agent = BaseArray[5];
  instance.SEND_EVENT = true;
  // parsing logic goes here
  /*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
  instance.SEND_EVENT = true;
  // If you can't parse...
  //rec.sendUnsupported();
  return true;
  But it just laughs at me and wont work. It states that there is a
  parsing error: match function something with input.
  Can you please help me build a logic that will work as intended? It
  should be clear what information or which piece of the text that I try
  map to which Event fields (look at the outcommented bits right above or
  below the ones that point to a rec.something because there I have tryed
  just map the information directly).
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715

  > - I'm not sure I understand why you replace the tabs with '|' just to do
  > the split; why can't you just split on tab? You can also investigate our
  > 'safesplit()' method, which understands quoted delimited strings:
  > Novell Login
  > (not sure that's necessary in this case)
  I replaced the tabs with '|' foir easier regex searchess for both
  numbers, alphanummeric and spaces in same match cases - but with the
  opportunity to index better for those searches because I did not need to
  worry about the tabs being recognised as whitespaces anymore.
  The safesplit works fine with '|' but not for this one:
  Code:
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  It reports that: "Cannot find function safesplit".
  If I change that to:
  Code:
  var AppSpecificArray = AppSpecificMessage.split(/\;/);
  It reports that: "Cannot find function split".
  > - The 'substring()' method is defined as taking two arguments:
  > from Required. The index where to start the extraction. First character
  > is at index 0
  > to Optional. The index where to stop the extraction. If omitted, it
  > extracts the rest of the string
  > Neither of those two arguments will *ever* be negative - they always
  > count from the beginning of the string. What you're really trying to do
  > is to extract the substring from the beginning +1 character, to the end
  > -2 characters, which is not how substring() works. But you *can* do
  > something like:
  > this.evt = Msg.substring(1,Msg.length - 2);
  >
  Aha I see. Thanks for the info. However, I tried the suggested this.evt
  = Msg.substring(1,Msg.length - 2); but it reports: Cannot call method
  "substring" of null. Remember that I have already testet and verified
  that I do have a value in the Msg variable.
  Here is the newest code. Please notice that I have outcommented the
  desired "result" and is just trying to get something from at least the
  part of the string that I want to parse.
  Code:
  this.msg = this.s_raw_message2;
  var TempTxt = this.s_raw_message2.replace(/\t/g,"|");
  var ValueArray = TempTxt.safesplit("|");
  var SourceInfo = ValueArray[0];
  this.evtCode = ValueArray[6];
  this.sip = TempTxt.match(/\d+\.\d+\.\d+\.\d+/);
  e.DeviceName = ValueArray[7];
  //AppSpecificMessage = TempTxt.match(/(?:\().+(?:\))/);
  var Msg = ValueArray[14].match(/(?:\|)[^\|]+(?:\()/);
  this.evt = Msg.substring(1,Msg.length - 2);
  //this.evt = Msg;
  AppSpecificMessage = ValueArray[14].match(/(?:\().+(?:\))/);
  if (ValueArray[10] == "Information")
  this.sev = "0";
  else if (ValueArray[10] == "Warning")
  this.sev = "3";
  else if (ValueArray[10] == "Error")
  this.sev = "4"
  else
  this.sev = "1";
  if(TempTxt.match(/(?:Login:\')\S+(?:')/) != false)
  //var apptemp = AppSpecificMessage.substring(1,AppSpecificMessage. length - 1);
  //var AppSpecificArray = apptemp.safesplit(";");
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  for(var c = 0; c<count(AppSpecificArray); c + 1)
  var key = AppSpecificArray[c].split(/:/);
  if (key[0] == "(Login")
  if (key[1] == "''")
  this.iuid = ValueArray[8];
  else
  this.iuid = key[1];
  //this.iuid = key[1].substring(1,key[1].length - 1);
  if (key[0] == " User Name")
  if (key[1] == "''")
  this.sun = "System";
  else
  this.sun = key[1];
  //this.sun = key[1].substring(1,key[1].length - 1);
  if (key[0] == " Agent Host")
  if (key[1] == "'')")
  this.shd = "Unknown Host Domain";
  else
  //var TempArr = key[1].substring(1,key[1].length - 1).safesplit(".");
  var TempArr = key[1].plit(/\./);
  TempArr.reverse();
  TempArr.pop();
  TempArr.reverse();
  this.shd = TempArr.join(".");
  if (key[0] == " Token")
  if (key[1] != "''")
  e.CustomerVar35 = key[1];
  //e.CustomerVar35 = key[1].substring(1,key[1].length - 1);
  else
  this.shd = "Unknown Host Domain";
  this.iuid = ValueArray[8];
  this.sun = "System";
  instance.SEND_EVENT = true;
  return true;
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715