Novell vs. Tally Collector

While browsing through the various posts in the forum I came across this comment from one of the users that caught my attention:
"You can launch the collection editor from the client workstation to perform the inventory using the command line below, even when all your collection option sets are set to not run the collection editor. The collection editor must be installed on the workstation for this process to work properly.
"C:\Program Files\Novell\ZENworks\Asset Management\Bin\cclient.exe" scannow:edit
(or if you have upgraded from TSCensus use
"C:\Program Files\Tally Systems Corp\TSCensus\Bin\cclient.exe" scannow:edit )"
My question is this, we are on ZAM 7.5 IR17, we started way back under Tally TSCensus 2.0. When I look under Program Files I see an entry for both Novell and Tally. Will having both of them in place cause any problems? I do get system information on a regular basis, I just want to make sure it is not something that I should be worried about.

DaryRo,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com

Similar Messages

Difference between Collector Builder & SDK for Parsing

Novice, with still much to read, but; I was on a path of setting up SDK
(for Sentinel Classic, btw most help and posts are about RD or SLM) and
then discovered the Collector Builder in regard to modifying the Novell
Identity Manager collector parsing script.
So there seems to be at least 2 ways to modify a parsing script, and
that's where the Collector Builder seems simpler. But, difficulty here,
instructions state start out with templates, but the interface only lets
me create new? I have done a Debug, LiveMode, download of the stopped
versions Novell_Identity-Manager_6.1r5 & ...r6 (a beta version we have).
Within the collector_workspace directory I can see the content, but the
UI for Collector Builder is not picking up any templates or importing
any of the collector files, for the purpose of script examples in this
interface.
So maybe bottom line is: I would like to view the differences in the
versions, which seem to be around the file "event.js" and others. This
version difference parses the message field and extracts from a User
Application Workflow event the Process ID and places that value into
EventGroupID. Which is the unique key value of each UA Workflow start
to finish. With this parse in place, then development of a Crystal
Report is possible around the UA workflows, how many did each
department do? etc. and other metrics around the UA workflows. However,
I now need to parse additional data from this "big gob" of the Message
field. Dont know java-script yet, so need these samples, and how to see
them in Collector Builder.
jabrownzz
jabrownzz's Profile: http://forums.novell.com/member.php?userid=79568
View this thread: http://forums.novell.com/showthread.php?t=430364

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Collector Builder is not something you should be using. It only works
with the legacy collector (none of the current collectors are using that
language anymore) and generally speaking it isn't a great tool
(windows-only, legacy-only, crash-happy, bleh). The Sentinel SDK is for
everything Sentinel, though most customers seem to be using Sentinel RD
and Log Manager because they are so much easier while providing the same
(or similar in the case of Log Manager) functionality.
Good luck.
On 01/19/2011 12:36 PM, jabrownzz wrote:
>
> Novice, with still much to read, but; I was on a path of setting up SDK
> (for Sentinel Classic, btw most help and posts are about RD or SLM) and
> then discovered the Collector Builder in regard to modifying the Novell
> Identity Manager collector parsing script.
>
> So there seems to be at least 2 ways to modify a parsing script, and
> that's where the Collector Builder seems simpler. But, difficulty here,
> instructions state start out with templates, but the interface only lets
> me create new? I have done a Debug, LiveMode, download of the stopped
> versions Novell_Identity-Manager_6.1r5 & ...r6 (a beta version we have).
> Within the collector_workspace directory I can see the content, but the
> UI for Collector Builder is not picking up any templates or importing
> any of the collector files, for the purpose of script examples in this
> interface.
>
> So maybe bottom line is: I would like to view the differences in the
> versions, which seem to be around the file "event.js" and others. This
> version difference parses the message field and extracts from a User
> Application Workflow event the Process ID and places that value into
> EventGroupID. Which is the unique key value of each UA Workflow start
> to finish. With this parse in place, then development of a Crystal
> Report is possible around the UA workflows, how many did each
> department do? etc. and other metrics around the UA workflows. However,
> I now need to parse additional data from this "big gob" of the Message
> field. Dont know java-script yet, so need these samples, and how to see
> them in Collector Builder.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNN0EZAAoJEF+XTK08PnB5iAgQAIaMtfcQZ1 rep5yXsFbvYRPK
rCCNjwkqlIexJRNa1Elx1NJnSPXTWjOoN27p3q1DxLNCp3IqzR ZnLMyRbDiD2wih
iQyeCFePaMGiBq1K1vcxpjyGNsIN04oe51CAuocrDG/+KEh9llHlsCaRIHNmwaV+
iTzaihd+cX8CCnBVDCD0CZ+Pm2DONSXKhN17nX5DifK5tN3KmO b4hJFSQCrPhcnO
JZwGB9VVkFofTYQybUZc6AGw6SDdZNKe5qEOoAOtPcevpx/cYp9H8LugMTG/bdFP
Zjxx4rbYXehfZXer8oaoc0MHU3RO1J9i76DNdXtymhNWRXtPj+ DBPxKe3x90BvKk
bMjTkTNwFEPC1vVpFBbrqQBY5OaPwjM6lb6OICDKnrdIKTh+nk sCVs2x5UpzjkkT
1plY2d43L5F9SKjL/4xjPcow4X1fsNVhXLkXCDXXXw2cPL2qqqL74Gyel3aWlBzD
34T7S07L8COyKwLr8vy3Ho3z79UCKO5OAFpO55RL1vCpEgL7TG nBv4YrJlt/fdxL
arkFj9D/LgxNor7AiYtZBUIWSOh+X8yMVOJXSpA+j/mXuvrOAVlo5rkJLQ4z13t/
SxqgCcF0mbKb2j2j4Jyh+HnXwkWi3L2TWDAVOkpIpCQQ31AWh/dmVh4PtIW4420V
+BL6EtQ7+5NwB1xzj0Nf
=eHAa
-----END PGP SIGNATURE-----

Zen Asset Manager consulting

Hi everyone,
Is there a company anyone can recommend (other than Novell) for ZAM consulting? We were dealing with ITAM Services, who were two guys who were formerly with Tally, but they seem to have gone under.
I'm looking to get some help with a 7.5 to 10 migration and some custom reporting.
Thanks
Murray

Yes. Our ZAM 7.5 seems to have gone seriously wrong somewhere... I have almost 1/3 of my computers not reporting in... Looked at putting in V10 but as far as I can tell none of my data was migrated using the tool... all my purchase records are gone... The guys I used to use were formerly with Novell and Tally Systems but they seem to be gone
Originally Posted by Jared Jennings
hmchapman,
>Is there a company anyone can recommend (other than Novell) for ZAM
>consulting? We were dealing with ITAM Services, who were two guys who
>were formerly with Tally, but they seem to have gone under.
>
>I'm looking to get some help with a 7.5 to 10 migration and some
>custom reporting.
Are you still needing help?
Jared Jennings
Novell Support Forums Sysop
Senior Systems Architect, Data Technique, Inc.
Data Technique, Inc. | Information Technology Consulting Solutions
My Blog and Wiki with Tips, Tricks, and Tutorials
Main Page - ZENWorks Wiki
Twitter@ http://twitter.com/jaredljennings

Custom.js Problems

I am trying to parse some additional data from the IDM Collector from
either the TargetTrustDomain and TargetUserDomain or the Message itself.
When I try to put e.TargetTrustDomain or e.TargetUserDomain or
e.Message into a variable I do not get any data. I am able to put
e.ExtendedInformation into a variable but it does not contain the data I
require. What variable do I need to query to parse the information
contained in those fields?
marcrusa
marcrusa's Profile: http://forums.novell.com/member.php?userid=12128
View this thread: http://forums.novell.com/showthread.php?t=451280

Hi marcrusa,
There are a couple things that I'll try to clarify to help you out
here.
1) The Collector operates by walking through an execution loop, as
described via the graphic here:
'Collectors' (http://www.novell.com/developer/collectors.html)
As you can see, there's a call out to customParse() (the yellow state
labeled "parse") after the regular Collector has completed its parsing.
It's important to note, however, that this ONLY happens if you set the
Execution Mode parameter of the Collector to 'Custom' (I think you
already did this).
2) Your custom code is loaded dynamically from the custom.js file; as a
result, it's actually not possible to debug it directly (this is a
limitation of the JS debugger, something that we'd like to fix as Aaron
mentioned). On the other hand, what you're really concerned about is the
state of the Collector immediately BEFORE you drop into your
customParse() method. To that end, the easiest thing to do is to start
your debugger, scroll all the way to the bottom, and put a break point
on the line in main.js that calls customParse(). Then when you run the
code, it should stop just before it calls your custom method. When this
happens, you can look at the state of the 'rec' global variable in the
variable browser to see what fields are available to you. When you drop
into customParse(), 'rec' will become 'this', but otherwise nothing will
change.
3) Your customParse() method should then perform whatever additional
data processing you need to perform on that data. You should store your
results back into some attribute on 'rec' - it doesn't really matter
what you call it, as long as you don't overwrite an existing attribute -
otherwise your results will disappear when customParse() exits.
4) The way you actually get data from the 'rec' object into the output
event 'e' is via the Rec2Evt.map file. But rather than modifying that
file directly and attaching it to the Collector, I would recommend
creating your own map in the same format (perhaps customR2E.map), adding
it to the Collector, and then loading it in customInit() using a method
like
this.MAPS.Rec2Evt.extend(this.CONFIG.collDir + "/Rec2Evt.map");
This code will extend the existing map with your custom mappings, but
what you gain by doing it this way is that Collector upgrades won't
break your changes.
One example might be to add something like this to customR2E.map:
CustomerVar123,targuser.domain
This would copy rec.targuser.domain into CustomerVar123.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=451280

Welcome to the Novell Plug-in SDK Forum!

Hello all,
This forum is dedicated to the Novell Plug-in SDK, which currently
provides a framework for the development of Sentinel and Identity
Manager plug-in components, namely Reports, Collectors, Actions, and
Solution Packs, although we do hope to expand that list in the future.
If you have questions about the SDK, the build scripts, the API, or
just want advice on the best way to build something, post here and the
community may provide just the answer you are looking for.
The Sentinel Plug-In SDK includes libraries and code developed by
Novell Engineering, as well as template and sample code which you can
use to begin developing your own projects. Please ensure, however, that
you understand the official support policy:
* Novell officially supports the API (classes, attributes, and
methods) documented as part of this SDK. Novell does not support any
classes or methods developed by customers to extend their solutions.
* Novell officially supports the SDK install, build scripts,
template code and layouts for Collectors, Actions and Reports, except
for any template code that is in the dev directory for the plug-in
itself and is modifiable.
* Novell does not officially support the sample code that is copied
into the release.js files and which is editable by the developer.
* Novell will not support any customer- or partner-developed code
directly, though Novell Support will provide guidance on troubleshooting
in order to determine whether the bug is in the supported components.
If you want support above and beyond what you can get from this forum,
and your issue is with something listed as supported above, then contact
Novell Support for more assistance.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=416417

Hello all,
This forum is dedicated to the Novell Plug-in SDK, which currently
provides a framework for the development of Sentinel and Identity
Manager plug-in components, namely Reports, Collectors, Actions, and
Solution Packs, although we do hope to expand that list in the future.
If you have questions about the SDK, the build scripts, the API, or
just want advice on the best way to build something, post here and the
community may provide just the answer you are looking for.
The Sentinel Plug-In SDK includes libraries and code developed by
Novell Engineering, as well as template and sample code which you can
use to begin developing your own projects. Please ensure, however, that
you understand the official support policy:
* Novell officially supports the API (classes, attributes, and
methods) documented as part of this SDK. Novell does not support any
classes or methods developed by customers to extend their solutions.
* Novell officially supports the SDK install, build scripts,
template code and layouts for Collectors, Actions and Reports, except
for any template code that is in the dev directory for the plug-in
itself and is modifiable.
* Novell does not officially support the sample code that is copied
into the release.js files and which is editable by the developer.
* Novell will not support any customer- or partner-developed code
directly, though Novell Support will provide guidance on troubleshooting
in order to determine whether the bug is in the supported components.
If you want support above and beyond what you can get from this forum,
and your issue is with something listed as supported above, then contact
Novell Support for more assistance.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=416417

Implement custom.js in Generic Event Collector

Sentinel Log Manager 1.2
Collector: Generic Event Collector
Hello,
sorry for this low end question, but I'm going crazy. I try to
implement a custom.js to get some data into CustomerVar fields.
My problem, if I start with simple code and implement the file like
described here http://tinyurl.com/cgvtaab. If I checked my Sentinel Log
Manager no additional data was writen to the event record. I stripped my
code to a realy simple example, to exclude errors here:
Collector.prototype.customInit = function() {
this.protoEvt.CustomerVar21 = "test log";
return true;
Record.prototype.customPreparse = function(e) {
return true;
Record.prototype.customParse = function(e) {
return true;
The collector runs in "custom" execution mode.
Thanks for help
Michael
michaelkuerschner
michaelkuerschner's Profile: https://forums.netiq.com/member.php?userid=6939
View this thread: https://forums.netiq.com/showthread.php?t=50155

Hi folks,
Couple quick things:
1) You were absolutely correct to put your code in customInit() as you
originally did - commenters are correct that the init code is only run
on startup, but in this case what you're doing is modifying the static
global protoEvt, which is the template on which all subsequent Events
are based. If you do run through this in the debugger, then what you
should see is that immediately after the 'curEvt = new
Event(instance.protoEvt)' line in main.js (which should be at the bottom
of your assembled Collector), your 'curEvt' global variable should have
that CustomerVar21 set in it. Further, when you get to the Event.send()
bit, the Event you are constructing should have that pre-set. You can of
course look at the protoEvt object in the debugger as well to make sure
that it actually was modified by your customInit().
2) I saw that you actually did call out that you set Custom execution
mode, but you did not mention AFAIK that you did the 'Add Auxiliary
File' step to upload your edited custom.js into the Collector. Can we
assume you did that?
BTW, just a tip on the debugger: read through:
http://www.novell.com/developer/plug...tor_debug.html
Note the bit about scrolling to the bottom of your file to find the main
loop - this is where all the action happens, so put your breakpoints
there (typically).
DCorlette
DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=50155

Trying to add workforceID to eDirectory Collector

I'm trying to add WorkforceID to the eDirectory collector.
I have Eclipse installed and working with the Senitnel SDK plug-in.
I have the edirectory collector imported and have been looking through
the various files to get some sort of understanding.
Could you give me some guidance as to where to start? I need to add
workforceID to the audit message that is sent to Sentinel and need to
know which files within the collector I need to make modifications to.
Also, which file do i need to modify to change the severity levels? I
need to make some changes to a few different collectors.
Thanks in advance.
brembold
brembold's Profile: http://forums.novell.com/member.php?userid=4186
View this thread: http://forums.novell.com/showthread.php?t=417817

Thanks for the feedback... I'll point the customer in the direction of
the CMP as that is a can of worms i'm not interested in opening.
Also good feedback on the severity level, they just wanted to see
different levels of severity for different events for their own internal
purposes...
DCorlette;2008652 Wrote:
> Hi brembold,
>
> OK, well this is a lot more complicated then I think you realize.
>
> First off, let's be clear: modification of the existing eDirectory
> Collector is NOT SUPPORTED and will likely break things. There is an
> approved, controlled process used to modify existing shipping Collectors
> which is documented on the SDK website:
> 'Custom Execution Mode - Developer Community'
> (http://developer.novell.com/wiki/ind...Execution_Mode)
>
> In essence, the idea is that you add (not replace) files to the
> Collector, and extend existing maps and methods as needed to change the
> Collector's behavior. On the other hand, you will probably need to walk
> through the existing Collector code to understand how it works, as you
> may need to manipulate internal variables and so forth that you won't
> know about unless you browse through the existing Collector code (and
> maybe debug it, too).
>
> OK, that said, let's look at your two issues:
>
> 1) Add workforce ID to eDir events. At first blush, this isn't
> actually possible because eDir doesn't report workforce ID with every
> event. I am assuming here that you mean that each employee in the
> enterprise is assigned a workforce ID, and you want to be able to always
> have that as part of any events that are initiated by that employee.
> Correct?
> This won't happen simply be editing the Collector; there's a whole
> contextual state that the Collector does not have access to. On the
> other hand, the entire purpose in life of the Compliance Management
> Platform that we sell is to allow you to inject exactly that contextual
> state into eDirectory event data, and in the CMP workforceID is most
> decidedly supported. But, since we spent 9 months with 10 people or so
> developing that solution, you're not likely to be able to replicate its
> functionality on your own.
> If you want to try, however, what I'd suggest is perhaps using a
> correlation rule to automatically create a map when a workforce ID is
> assigned to a user DN, and then using the Mapping Service to apply that
> map when it sees that DN of future input. You can pre-create the map for
> any pre-existing accounts, since otherwise Sentinel will never know
> their workforce IDs. Note that none of this requires touching the
> Collector.
>
> 2) Modifying the Severity: Before we get into the HOW, let's discuss
> the WHY: in Sentinel, the Severity field is defined as a mapping from
> the original event source's assigned severity, log level, or whatever to
> Sentinel's 0-5 Severity levels. For many devices, this is fixed and
> shouldn't be changed, so for example the standard syslog severity levels
> (7-0, with 0 as most critical) are mapped to Sentinel's 0-5, with 5 as
> the most critical. Changing this for a Collector or even specific events
> could potentially break downstream content, and should not be undertaken
> by the faint of heart. Of course, there are also cases where the event
> source does NOT assign a severity, and we are forced to invent them
> based on say the type of event and other "key values" in the event.
>
> Now, there are certainly cases where people want to change the
> "Severity", but in my experience these boil down into three categories:
>
> 1) They disagree with the severity assigned by the original event
> source vendor. So for example they think that a "user add" event that
> fails in LDAP should have an elevated severity, and the vendor, for
> whatever reason, didn't do so. The only recourse in this case is really
> to go complain to the vendor, as we have no control over what they
> produce. We could certainly override their settings, but then if they
> went and corrected their side...
>
> 2) They disagree with the mappings that we provide by default in our
> Collector, either the standard level-to-level mappings or, if not
> available, the mapping we've assigned to some specific event. In this
> case, feel free to suggest an enhancement or even a bugfix to the
> specific Collector via Novell's bugzilla, as this is important feedback
> we want to hear.
>
> 3) They really aren't looking for Severity, they're trying to calculate
> a "risk rating" and, for their specific enterprise, there are certain
> events that they can define as higher or lower risk than the normal
> severity assignments. In some cases the customer just isn't interested
> in, say, modification of certain attributes, or something like that. In
> other cases the customer wants to lower the risk rating based on what
> type of asset (server vs. desktop) that the event is coming from. In any
> case, the point is that the narrowly defined "Severity" field is not
> really the place to do this; what you really want to do is create a map
> that combines Severity with some other set of fields (maybe ObserverIP,
> and create a list of critical assets) and then populates some custom
> field with your internal risk rating.
>
> Now, if you want to just ignore what I said above and really do want to
> change the standard assigned severities, you can in some cases look for
> a file like 'severity.map' in the Collector, and if found, duplicate the
> format and assign your own severities, import that file into the
> Collector, then import a custom.js file that, in the initialize()
> method, uses the KeyMap.extend() method to read in your new file and
> extend/replace the existing mappings.
>
> Hope this helps, and if you'd like more assistance please follow up.
brembold
brembold's Profile: http://forums.novell.com/member.php?userid=4186
View this thread: http://forums.novell.com/showthread.php?t=417817

RSA ACE server SYSLOG collector, Parsing help!

Hi Board.
I am in a very big hurry for developing a RSA ACE collector script. The
already released RSA ACE Collector script is file based and the RSA ACE
server can dump a CSV log report with an interval of a hour as the
fastest possible interval. This is not at all satisfying for the
customer which - due to the latest issue with hacking attacks on EMC's
network both announced in the press and by letter from EMC and to their
customers - is not at all acceptable. They need to have logic for
pattern searches and correlation rules that can respond as close to real
time as possible.
We have with success and without any troubles or big efforts installed
the SNARE agent on the RSA ACE Appliance box. We are receiving the
events from the RSA server correctly (or we are receiving the events as
unsupported events because the events is not parsed correctly, but all
the needed information is there) and I have started development of a new
Collector script based on the Generic Event Collector (Just
doubleclicked on New Collector script in the Ant menu).
So far I have tryed some different approaches. I know that I can totaly
manipulate with the events received from the Source because I can
pre-set values via the protoEvt.map file. Even further have I been able
to set some other values in the Parse function by using the rec2Evt.map
and then hardcode a value to the desired field by using
rec.-input_record_field-.
Therefor I am pretty convinced that I am on the right track.
Now here is my question:
Based on this copy-pasted s_RXBufferString value (IP addresses and
host+domain values changed for protecting the customer):
Code:
Mar 26 05:48:12 192.168.1.100 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617
*NB!* Swap out [tab] with tablulator delimiter!
I have tryed this approach (this is the entire Parse Functiomn):
Code:
var ValueArray = this.s_RXBufferString.split("\\t");
rec.msg = this.s_RXBufferString;
var SourceInfo = ValueArray[0];
rec.sun = ValueArray[1];
//e.InitServiceName = ValueArray[1];
//rec.Service = ValueArray[1];
//e.EventTime = ValueArray[5];
//rec.EvtTime = ValueArray[5];
//e.VendorEventCode = ValueArray[6];
rec.evtCode = ValueArray[6];
e.DeviceName = ValueArray[7];
rec.sun = ValueArray[8];
//e.EffectiveUserID = ValueArray[8];
//var OSInitUser = ValueArray[8];
//e.InitHostName = ValueArray[11];
rec.shd = ValueArray[11];
//ValueArray[12] = ValueArray[12].ltrim();
var AppSpecificMessage = '';
for(var t = 12; t<count(ValueArray); t+1)
AppSpecificMessage += ValueArray[t];
//e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");
var A = AppSpecificMessage.search('$.+$');
//e.EventName = 'Debugging RSA';
//e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();
AppSpecificMessage = AppSpecificMessage.match('$.+$');
// var B = AppSpecificMessage.search(')');
//var B = AppSpecificMessage.search(')');
// var BaseInfo = AppSpecificMessage.substring(A+1,B-1);
// var BaseTmpArray = BaseInfo.split(';');
// var BaseArray = new Array();
/*for(var i = 0; i<count(BaseTmpArray); i+1)
var str = BaseTmpArray[i].ltrim();
var TempAr = str.split(':');
BaseArray.push(TempAr[1].substring(1,-1));
/*var AgentArr = BaseArray[6].split(".");
AgentArr.reverse();
AgentArr.pop();
AgentArr.reverse();
e.InitHostDomain = AgentArr.join(".");
//rec.InitDomain = AgentArr.join(".");
e.InitHostDomain = "corp.ad.local";
if (ValueArray[10] == "Information")
rec.sev = "0";
//e.Severity = "0";
else if (ValueArray[10] == "Warning")
rec.sev = "3";
//e.Severity = "3";
else if (ValueArray[10] == "Error")
rec.sev = "4"
//e.Severity = "4";
else
rec.sev = "1";
//e.Severity = "1";
//e.InitUserID = BaseArray[0];
rec.LoginName = BaseArray[0];
//e.InitUserName = BaseArray[1];
rec.UserName = BaseArray[1];
//e.customerVar35 = BaseArray[2];
//rec.Token = BaseArray[2];
//e.customerVar36 = BaseArray[5];
//rec.Agent = BaseArray[5];
instance.SEND_EVENT = true;
// parsing logic goes here
/*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
instance.SEND_EVENT = true;
// If you can't parse...
//rec.sendUnsupported();
return true;
But it just laughs at me and wont work. It states that there is a
parsing error: match function something with input.
Can you please help me build a logic that will work as intended? It
should be clear what information or which piece of the text that I try
map to which Event fields (look at the outcommented bits right above or
below the ones that point to a rec.something because there I have tryed
just map the information directly).
kkrasmussen
kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=435715

> - I'm not sure I understand why you replace the tabs with '|' just to do
> the split; why can't you just split on tab? You can also investigate our
> 'safesplit()' method, which understands quoted delimited strings:
> Novell Login
> (not sure that's necessary in this case)
I replaced the tabs with '|' foir easier regex searchess for both
numbers, alphanummeric and spaces in same match cases - but with the
opportunity to index better for those searches because I did not need to
worry about the tabs being recognised as whitespaces anymore.
The safesplit works fine with '|' but not for this one:
Code:
var AppSpecificArray = AppSpecificMessage.safesplit(";");
It reports that: "Cannot find function safesplit".
If I change that to:
Code:
var AppSpecificArray = AppSpecificMessage.split(/\;/);
It reports that: "Cannot find function split".
> - The 'substring()' method is defined as taking two arguments:
> from Required. The index where to start the extraction. First character
> is at index 0
> to Optional. The index where to stop the extraction. If omitted, it
> extracts the rest of the string
> Neither of those two arguments will *ever* be negative - they always
> count from the beginning of the string. What you're really trying to do
> is to extract the substring from the beginning +1 character, to the end
> -2 characters, which is not how substring() works. But you *can* do
> something like:
> this.evt = Msg.substring(1,Msg.length - 2);
>
Aha I see. Thanks for the info. However, I tried the suggested this.evt
= Msg.substring(1,Msg.length - 2); but it reports: Cannot call method
"substring" of null. Remember that I have already testet and verified
that I do have a value in the Msg variable.
Here is the newest code. Please notice that I have outcommented the
desired "result" and is just trying to get something from at least the
part of the string that I want to parse.
Code:
this.msg = this.s_raw_message2;
var TempTxt = this.s_raw_message2.replace(/\t/g,"|");
var ValueArray = TempTxt.safesplit("|");
var SourceInfo = ValueArray[0];
this.evtCode = ValueArray[6];
this.sip = TempTxt.match(/\d+\.\d+\.\d+\.\d+/);
e.DeviceName = ValueArray[7];
//AppSpecificMessage = TempTxt.match(/(?:$).+(?:$)/);
var Msg = ValueArray[14].match(/(?:\|)[^\|]+(?:$)/);
this.evt = Msg.substring(1,Msg.length - 2);
//this.evt = Msg;
AppSpecificMessage = ValueArray[14].match(/(?:\().+(?:$)/);
if (ValueArray[10] == "Information")
this.sev = "0";
else if (ValueArray[10] == "Warning")
this.sev = "3";
else if (ValueArray[10] == "Error")
this.sev = "4"
else
this.sev = "1";
if(TempTxt.match(/(?:Login:\')\S+(?:')/) != false)
//var apptemp = AppSpecificMessage.substring(1,AppSpecificMessage. length - 1);
//var AppSpecificArray = apptemp.safesplit(";");
var AppSpecificArray = AppSpecificMessage.safesplit(";");
for(var c = 0; c<count(AppSpecificArray); c + 1)
var key = AppSpecificArray[c].split(/:/);
if (key[0] == "(Login")
if (key[1] == "''")
this.iuid = ValueArray[8];
else
this.iuid = key[1];
//this.iuid = key[1].substring(1,key[1].length - 1);
if (key[0] == " User Name")
if (key[1] == "''")
this.sun = "System";
else
this.sun = key[1];
//this.sun = key[1].substring(1,key[1].length - 1);
if (key[0] == " Agent Host")
if (key[1] == "'')")
this.shd = "Unknown Host Domain";
else
//var TempArr = key[1].substring(1,key[1].length - 1).safesplit(".");
var TempArr = key[1].plit(/\./);
TempArr.reverse();
TempArr.pop();
TempArr.reverse();
this.shd = TempArr.join(".");
if (key[0] == " Token")
if (key[1] != "''")
e.CustomerVar35 = key[1];
//e.CustomerVar35 = key[1].substring(1,key[1].length - 1);
else
this.shd = "Unknown Host Domain";
this.iuid = ValueArray[8];
this.sun = "System";
instance.SEND_EVENT = true;
return true;
kkrasmussen
kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=435715

Data Maps & Custom Collectors

Hi Guys,
I am fairly new to the development side of the collectors for Sentinel,
and have what may be a total beginners question but I've tried the docs
and feel I am getting no where with an answer so hopefully you can help
out
So I am constructing an event from within the collector, I have read
that its best practice to try to use maps where possible so I am trying
to do this. If I hard code for example e.TargetUserID = <the parsed
string that I have>, then that works, but I want to try to make use of
the Rec2Evt.map as most of the data that I am populating at this point
is listed in here.
What I have done is to add into the the following:
Code:
Collector.prototype.initialize = function() {
this.MAPS.Rec2Evt = new DataMap(this.CONFIG.collDir + "/Rec2Evt.map");
Then within parse have the following:
Code:
rec.testIP = "123.4.5.6";
rec.convert(this, instance.MAPS.Rec2Evt);
instance.SEND_EVENT = true;
return true;
Within the Rec2Evt.map file it has the default list of Sentinel Event
Fields and I have appended a record for TargetIP: TargetIP,testIP
Have I missed any obvious steps out? What I was expecting to happen was
when the event is recieved and parsed in Sentinel the TargetIP field
should have the value 123.4.5.6, when I look in either the ESM or the
Sentinel 7 webUI I dont see this field getting set, other fields which I
manually set are being set correctly.
This is the first time that I have tried to use the data maps so I
assume I am doing something wrong and any pointers you guys have would
be great,
Thanks
alanforrest
alanforrest's Profile: http://forums.novell.com/member.php?userid=90508
View this thread: http://forums.novell.com/showthread.php?t=453791

Hi Alan,
I'm not quite sure what you mean by "3 or 4 attributes", but here are
some guidelines:
Part of the Collector development process is to make a best-effort
attempt to parse out semantically distinct fields from the input and map
them to the Sentinel schema in a normalized way. Sometimes this is easy
- there's an IP address that's the target of a connection, extract it
and map it to TargetIP (TargetIP should already exist in Rec2Evt.map and
you just need to list the 'rec' attribute into which you parsed that
target IP). Sometimes this requires a little more work, for example
timestamps and whatnot that need normalization. Sometimes this is really
tricky, and you can't find a nice match to a Sentinel schema field.
Let's break this down into the following categories:
1) Simple 1:1 matches, like the IP address example above
2) 1:N matches, where you need to subparse a bit. An example might be a
path like C:\WINDOWS\system32\etc\hosts; this would map to
TargetDataName = 'hosts', TargetDataContainer = '/windows/system32',
TargetDataNamespace = 'c' (note that since Windows is case-insensitive,
everything has been lowercased and the path separators normalized - we
provide some utility flags and methods for this in the latest SDK which
will be out soon.
3) Mapped matches: in this scenario, you have a field maybe that
indicates severity using some arbitrary proprietary scale, and you need
to map this to Sentinel's 0-5 Severity. In this case it's good to use a
KeyMap, put all your possible input values in the LHC, and then map them
to Sentinel Severities in the RHC. Then you can use lookup() to look up
your input and map it to the correct output, put that output in a 'rec'
attribute, and then list that attribute in Rec2Evt.map (in this example
on the RHS after 'Severity,'
4) No schema match, doesn't need to be correlated: An example here
might be "session type", which is something that Windows provides but
that we don't (yet) have a dedicated schema field for (although we are
considering it). Let's say you want to record that information in the
event, but you don't need to correlate on that value. In that case you
can use the 'add2EI()' method to add an JSON NVP to the
ExtendedInformation field, something like 'LoginType: interactive'.
5) No schema match, need to correlate: This is the trickiest case,
where you can't find a place to put your data but you need it in a
separate field so you can correlate on it. For this scenario you can use
one of the many unallocated ReservedVarXX fields. What you need to do is
pick an unused field, add it to Rec2Evt.map, and map your data to it.
The trick is that you can't guarantee that some other Collector is not
using that field for a different purpose, so you have to be a bit more
careful when writing correlation rules etc to filter for your data
only.
In other words, the only attributes you should ever be adding to
Rec2Evt.map are ReservedVar fields. BTW, the event schema is fully
documented here:'Sentinel Event Schema'
(http://www.novell.com/developer/plug...nt_schema.html)
but note that not all fields are present in all platforms.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=453791

ZAM collector failed to get WIF path message

This irritating message constantly appears in C:\Program Files\Novell\ZENworks\Asset Management\bin\colw32.log on many PC's. On some PC's it appears every time the collector service tries to start but on some it only appears infrequently. I need to know how to troubleshoot this message as many of our workstations are not producing an inventory and it's down to this message.
I have done some tests today on several PC's all logged on as me. Some work, some don't, so it can't be anything to do with policies and rights to the registry. Using ZAM 7.5 IR16 with latest product updates.
Thanks
Lenny

Originally Posted by lennyd
I should have added, a previous post suggested adding the line
Diagnostic=1
into cps.ini which i have done.
Diag.Exe and DoRes.DLL already exist in the client directory. This has created and populated a file called CClientEvent20081201.log in the client logs directory. However it contains no useful information at all as to why this "Failed to get WIF path" message appears.
On the particular PC I am using here, there are 2 .WIF files dated 27th November in the InboxCC directory then nothing since so it did work until last week so why it has stopped working now I have no idea.
Lenny
I had the same problem. It turns out the Windows firewall was blocking port 7461. Once port 7461 was opened everything started to work.
Jim

RXMap field from collectors

Hi,
I am trying to understand better how RXMap field works in terms of
structure. It seems a field or structured variable which keeps other
fields which are usually parsed from event sources data. Well, that is
my understand.
I have tried to search it on so many .js files of native collectors but
I did not get its structure.
Does anybody have more detail about it or have played with RXMap
before?
I need to understand that because for some reason, some string data is
truncated to 255 characters when it is stored on RXMap (I guess). I
created a simple and custom collector and add more than 255 characters
to e.fn field and it worked fine. When I use some collectors which use
RXMap field,, e.fn (FileName) is truncated.
Regards
HH
hugohigashi
hugohigashi's Profile: http://forums.novell.com/member.php?userid=89996
View this thread: http://forums.novell.com/showthread.php?t=447960

Hi Hugo,
RXMap is a bit of an artificial construct. Basically we get an object
back from the Connector called ConnectorData, but it's a Java object, so
we have to unpack it in some way. The first thing we do is attach it to
the 'rec' object, which is a Javascript object. Next, we iterate through
the various fields that come back from the Connector (we basically get a
map of data back). There are really two types of fields that come back:
1) Event data
2) Metadata
and two different ways that the Connector will treat the event data:
1) As a single string
2) As a set of fields
Some examples: the Database Connector creates an output metadata field
called "s_Database" that indicates the name of the database that the
data was retrieved from. It also gets event data back from the various
columns, and can either place each field into a separate variable (a
map) or can concatenate them into a long string. The File Connector only
retrieves line-by-line string data and sets a single event data field
with that line of data.
The problem is that the Connector just sets all this stuff at the root
level of the connectorData object, which introduces some problems. First
of all, there's the potential for name conflicts - if a database
happened to have a column called s_Database, it would conflict with the
metadata field of the same name. For that reason the Database Connector
allows you to specify a prefix to put in front of each column name
retrieved from the database.
So what we decided to do when we unpack the Java object and put the
individual fields into the 'rec' object was to enforce a better
separation of data and metadata. For Connectors operating on lines of
data, what you'll see is all the metadata in the root of 'rec', and a
single special variable rec.s_RXBufferString which contains the line of
data. For Connectors operating on maps of data, you'll see the same
metadata in the root of 'rec' but all the actual event data stored under
a rec.RXMap hash.
Note that RXMap doesn't have any particular structure or class, it's
literally just a hash of data in whatever form it arrived in from the
Connector. So really what you find in there is entirely dependent on the
event source and the Connector.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=447960

Customize SLES collector

Hello,
I'm trying to add support for Freeradius to the SLES collector by adding
a parse-radiusd function to a custom.js file.
A couple of questions:
1) What is the proper way to extend the taxonomy.map file? Right now I'm
adding all XDAS data in custom.js instead of using e.setTaxKey:
e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT";
e.XDASOutcomeName = "XDAS_OUT_SUCCESS";
e.XDASOutcome = "0";
e.XDASDetail = "0";
e.XDASIdentifier = "4";
e.XDASClass = "2";
e.XDASProvider = "0";
e.XDASRegistry = "0";
I don't want to edit the taxonomy.map directly since I don't want to
lose changes when the collector is upgraded.
2) How do I enable my event for Identity Tracking?
I have previously made a custom.js for the NetIQ Universal Event
collector for parsing OpenVPN events and I was able to get IdT working
by just adding e.InitiatorUserName and e.InitiatorUserDomain to the event.
The issue I'm having with the custom.js for the SLES collector is that
setting those fields has no effect at all, they don't show up when I
look at the processed event in the Sentinel Web UI.
Instead I have to set this.sun, this.iud.
That makes those fields show up in the Web UI but the events are not
enriched by Identity Tracking so I have to be missing something else.
Here is the entire function as it looks right now:
Record.prototype["parse-radiusd"] = function(message, e) {
e.XDASClass = "2";
e.XDASProvider = "0";
e.XDASRegistry = "0";
if (/Login OK/.test(message)) {
e.InitiatorUserName = message.replace(/.+\[(.+)\/.+/,'$1');
this.sun = message.replace(/.+\[(.+)\/.+/,'$1');
this.iud = "\\meta\\users";//2014-12-25, test av Identity Tracking
this.i_syslog_severity = 3;
this.evt = "RADIUS Login";
e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT";
e.XDASOutcomeName = "XDAS_OUT_SUCCESS";
e.XDASOutcome = "0";
e.XDASDetail = "0";
e.XDASIdentifier = "4";
} else if (/Login incorrect/.test(message)) {
this.sun = message.replace(/.+\[(.+)\/.+/,'$1');
this.evt = "RADIUS Login";
e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT";
e.XDASOutcomeName = "XDAS_OUT_DENIAL";
e.XDASOutcome = "2";
e.XDASDetail = "0";
e.XDASIdentifier = "4";
this.iud = "\\meta\\users";
this.i_syslog_severity = 0;
return true;

On 12/26/2014 04:09 AM, alekz wrote:
>
> I'm trying to add support for Freeradius to the SLES collector by adding
> a parse-radiusd function to a custom.js file.
>
> A couple of questions:
>
> 1) What is the proper way to extend the taxonomy.map file? Right now I'm
> adding all XDAS data in custom.js instead of using e.setTaxKey:
>
> e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT";
> e.XDASOutcomeName = "XDAS_OUT_SUCCESS";
> e.XDASOutcome = "0";
> e.XDASDetail = "0";
> e.XDASIdentifier = "4";
> e.XDASClass = "2";
> e.XDASProvider = "0";
> e.XDASRegistry = "0";
>
> I don't want to edit the taxonomy.map directly since I don't want to
> lose changes when the collector is upgraded.
I think what you're after is covered in some way on this page:
https://www.novell.com/developer/plu...omization.html
With that said, I have not gone through these particular changes with the
SLES collector, so some modifications may be necessary. Generally though:
1. Add a custom map file, named something unique, via the 'Add Auxiliary
File' option within Event Source Management (ESM).
2. Add custom.js (you are already doing this) which includes the three
required methods within (customInit, customPreparse, customParse).
3. Add a line like (stolen from the URL above) this to customInit:
this.MAPS.Rec2Evt.extend(this.CONFIG.collDir + "/customR2E.map");
The end result should be that your custom map is available and ready for
use within something like customParse to set values on whatever. More
discussion of maps is found here:
https://www.novell.com/developer/plu...ctor_maps.html
Also regarding taxonomy, it looks like the SLES collector has an instance
flag that can be set during some form of parsing to prevent later taxonomy
operations from happening automatically (overwriting your changes:
instance.taxFlaG = 1;
> 2) How do I enable my event for Identity Tracking?
>
> I have previously made a custom.js for the NetIQ Universal Event
> collector for parsing OpenVPN events and I was able to get IdT working
> by just adding e.InitiatorUserName and e.InitiatorUserDomain to the event.
>
> The issue I'm having with the custom.js for the SLES collector is that
> setting those fields has no effect at all, they don't show up when I
> look at the processed event in the Sentinel Web UI.
>
> Instead I have to set this.sun, this.iud.
this.sun and this.iud are the variables mapped to the e.* fields in the
Rec2Evt.map file. For some reason I thought those were not supposed to do
anything if the source value (this.sun/this.iud) was blank, but maybe I'm
mistaken, or maybe the collector has a bug. It may be worth stepping
through the debugger to see if something unexpected is setting the sun/iud
fields, which would then give the Rec2Evt.map a reason to map things,
overwriting your explicit writes to the same fields on the event (e) object.
> That makes those fields show up in the Web UI but the events are not
> enriched by Identity Tracking so I have to be missing something else.
Are you sure that the values put into the sun and iud fields are present
in Identity Tracking data within the system? How do these values compare
for the same user from a collector that is properly implementing Identity
Tracking?
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

Collector questions

Hello Everybody!
I would like to ask some questions about creating a collector. I
modified the Apache Agent (utility) to tail -F logfile_path | awk
'{print($0); fflush()}' | $SOCAT_BIN -d -u - $SOCAT_OPTIONS & to send
the logfile to the Sentinel. I will check, but the point is that it
transfer the lines.
The Collector look for a Matching rule and I saw it in the debugger and
also in the Sentinel web interface that I got the event/logfile. I also
see in the debugger that the s_RXBufferString is exists. So I have to
use the safesplit or split methods on this.s_RXBufferString, right? Or
Should I use //.exec()? Or it is totally up to me to use whatever I
want?
If I saw it right, the /()()/.exec() makes/eval the regex and We got
RegExp.$1-$9. If I use the /()()/.test() it will just give me wether the
result of the regex is true or false. Right?
When is it allowed to use field assignment (e.InitiatorUserName =
this.username?
What is the effect when I put the instance.SEND_EVENT into an another
function for example normalize()? Or it is still OK to put elsewhere the
send_event untill it is in one of the preparse(),parse(),normalize()
functions?
Do I have to create a variable like var empty_str or it is enough to do
the this.emptry_str? The preparse(),parse(),normalize() are prototype
javascript function so if I read it well, it is ok to use
this.empty_str. Or will the this.empty_str dissappear after it jumps to
the next function (because of the scope)?
How can I decide when to use RXMapp and when s_RXBufferString? What if I
don't see the s_Body, but have s_RXBufferString? I know that
s_RXBufferString is line-oriented, but is i possible that my syslog/file
data will be in the RXMap?
What if i set the this.dun="testuser"; and in the Rec2Evt.map I add the
UserTargetName,dun pair? It should be always present the TargetUserName
when I look it in the Sentinel web interface, right?
Are there any other source to learn how to create collector?
Thank you for your answers!
woodspeed
woodspeed's Profile: https://forums.netiq.com/member.php?userid=7232
View this thread: https://forums.netiq.com/showthread.php?t=51349

woodspeed;246692 Wrote:
> Hello Everybody!
>
>
> I would like to ask some questions about creating a collector. I
> modified the Apache Agent (utility) to tail -F logfile_path | awk
> '{print($0); fflush()}' | $SOCAT_BIN -d -u - $SOCAT_OPTIONS & to send
> the logfile to the Sentinel. I will check, but the point is that it
> transfer the lines.
> The Collector look for a Matching rule and I saw it in the debugger and
> also in the Sentinel web interface that I got the event/logfile. I also
> see in the debugger that the s_RXBufferString is exists. So I have to
> use the safesplit or split methods on this.s_RXBufferString, right? Or
> Should I use //.exec()? Or it is totally up to me to use whatever I
> want?
> If I saw it right, the /()()/.exec() makes/eval the regex and We got
> RegExp.$1-$9. If I use the /()()/.test() it will just give me wether the
> result of the regex is true or false. Right?
> When is it allowed to use field assignment (e.InitiatorUserName =
> this.username?
> What is the effect when I put the instance.SEND_EVENT into an another
> function for example normalize()? Or it is still OK to put elsewhere the
> send_event untill it is in one of the preparse(),parse(),normalize()
> functions?
> Do I have to create a variable like var empty_str or it is enough to do
> the this.emptry_str? The preparse(),parse(),normalize() are prototype
> javascript function so if I read it well, it is ok to use
> this.empty_str. Or will the this.empty_str dissappear after it jumps to
> the next function (because of the scope)?
> How can I decide when to use RXMapp and when s_RXBufferString? What if I
> don't see the s_Body, but have s_RXBufferString? I know that
> s_RXBufferString is line-oriented, but is i possible that my syslog/file
> data will be in the RXMap?
> What if i set the this.dun="testuser"; and in the Rec2Evt.map I add the
> UserTargetName,dun pair? It should be always present the TargetUserName
> when I look it in the Sentinel web interface, right?
> Are there any other source to learn how to create collector?
>
> Thank you for your answers!
Argh formatting! Let me take this from the top, and hopefully I
won't miss anything:
1) favor exec() over test(). Test is slower, can only handle a very
small number of captures (9), where exec is generally same or better
speed, I haven't hit a limit to the matches, and returns a consistent
indexed array.
2) I personally favor using e.FieldName over using the rec2evt.map,
because especially as a programmer I find it gives better flow control.
That goes against documented guidance a bit, but as long as you're okay
with the possibility of needing to
do a larger find and replace in the event of a schema name change, it's
really not that big of a deal (and if you use notepad++, it's really a
non-issue)
3) instance.SEND_EVENT is a global variable, so you're fine to set
it...anywhere. You can also just call e.send() and return false()
from any of the primary functions (parse(), preparse(), normalize() and
the custom versions of the same), although once again, you risk a
breaking change later, but once again, if you have a good editor, it's
not a big deal.
4) Javascript in general favors use of var over setting properties on
objects, and in my own code I tend to follow that rule. However, if
you need a value to transit between the Record methods, putting it on
the this object isn't a bad idea at all.
5) RXMap is only populated if a value coming in from the connector does
not follow the s_<propname>, i_<propname> nomenclature, or if it's one
of a few special fields that we happen to want at the top of the
metadata. For syslog stuff, you can generally safely not mess with
it.
6) So there are three fields that hold the "message string" for most
connectors:
s_raw_message_2 - the original and completely unfiltered string
s_RXBufferString - for most collectors, same as above, for syslog we
clean it up to be syslog RFC-friendly.
s_body - we strip off the syslog header.
Which field you parse depends on what you need. For an RFC-compliant
syslog stream, s_Body is the most convenient because it has all the
'standard' stuff parsed out and available through other connector
metafields; s_RXBufferString is generally good, but for some exceptional
event sources, our "clean up" actually is a bad thing, which leaves
s_raw_message_2. As a general rule for your use case, I would
recommend s_RXBufferString unless you find that s_Body gives you a clean
value.
7) for your Rec2Evt.map question, well yes - assumign that this.dun was
present and p
8) https://www.novell.com/developer/dev..._sentinel.html is the best
place to start and it's our main resource. If you need more of an A-Z
training, our training services group does offer a training class that
you may want to look into.
brandon.langley
brandon.langley's Profile: https://forums.netiq.com/member.php?userid=350
View this thread: https://forums.netiq.com/showthread.php?t=51349

Error appears when debugging a generic collector for ADONIS

We have Sentinel 6.1
We are working with a new collector for the DNS appliance ADONIS , and
when we are debbuging an error appears in the function SUBSTR
When this error doent appear during debugging too, looks like the
collector enters in a loop, the funtion where the debugging stands is
"this.read = function"
The generic collector doesnt been modified in the functions preParse,
Parse and Normalized.
The generic collector its in JAva script and It was maded with the ANT
templates in ECLIPSE.
marrovdr
marrovdr's Profile: http://forums.novell.com/member.php?userid=41874
View this thread: http://forums.novell.com/showthread.php?t=423439

Hmm....
Well I'm not sure we have quite enough information yet to really help
you. That said, there are some basic things we can check:
1) Are you saying that you are seeing this error with a completely
unmodified Collector, e.g. you ran the "Create New Collector Plug-in"
Ant task, then immediately built and deployed the result?
2) Are you using the 'stable' SDK or the SVN-based 'current' branch?
Also, I'm not clear what you're saying about the this.read bit, but the
line that states:
record.connectorData = getData(5);
(which is in the Connector.read() method) is where the Collector
fetches the next record from the Connector. You should note that if no
data is retrieved, you'll basically get an empty record. If you try to
do any parsing on that data, you can run into problems because the
variable you are trying to operate on don't exist.
By this I mean that if rec.s_RXBufferString doesn't exist (e.g. you got
a null record from the Connector), but you try to do:
this.s_RXBufferString.substr(5,8);
you'll get an error like "method substr() is undefined" or something.
Also I should note that if your Collector is pausing at the getData()
line, that probably means that your device isn't actually sending any
records - check using a Raw Data Tap on the Event Source.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=423439

Sentinel collector debug: SyntaxError: Invalid quantifier ?

Dear all,
When I was debuging any collector,for instance, "NetIQ_Universal-Event
Collector", sentinel always prompt error messages: "SyntaxError: Invalid
quantifier ?" , I found the error key words in control.center.0.0.log
file under C:\Users\steve_zeng\.novell\sentinel\log. it said "SEVERE:
org.mozilla.javascript.EcmaError: SyntaxError: Invalid quantifier ?", My
sentinel version is 7.1.0, client java version is 7.0_21,
I aslo clear all cache files in
C:\Users\steve_zeng\.novell\sentinel\data, but problem would still
apear, Why?
Thanks in advance for any assistance / guidance!
Detail logs please look at the attachment, control.center.0.0.log
contents are following:
================================================== ================================================== ===========
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\master.jar,
ignoring error.
Jul 03, 2013 12:46:22 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335,
ignoring error.
Jul 03, 2013 12:46:22 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438,
ignoring error.
Jul 03, 2013 12:46:22 AM
esecurity.ccs.comp.repository.PluginCacheManager isUpToDate
INFO: Checking if directory
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_plugins\NetIQ_Universal_Eve nt_06723D3102CBA3C001C251476ED_4454844095995131246
has hash matching bzdNc0KW/wb+yG4VNogU3Q==.
Jul 03, 2013 12:46:22 AM
esecurity.ccs.comp.repository.PluginCacheManager isUpToDate
INFO: Local directory
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_plugins\NetIQ_Universal_Eve nt_06723D3102CBA3C001C251476ED_4454844095995131246
has hash value bzdNc0KW/wb+yG4VNogU3Q==.
Jul 03, 2013 12:46:23 AM
com.eSecurity.Application.Appliance.debugger.Integ ratedScriptDebugger
<init>
INFO: Starting IntegratedScriptDebugger in remote debugging mode.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\bsf-240.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\collectorutil.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\commons-codec-1.3.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\commons-io-2.4.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\commons-logging-1.1.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\commons-logging-adapters-1.1.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\commons-logging-api-1.1.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\joda-time-2.1.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\js.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335\master.jar,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335,
ignoring error.
Jul 03, 2013 12:46:24 AM esecurity.base.util.FileUtil recursiveDelete
INFO: Could not delete:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438,
ignoring error.
Jul 03, 2013 12:46:24 AM
esecurity.ccs.comp.repository.PluginCacheManager isUpToDate
INFO: Checking if directory
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_plugins\NetIQ_Universal_Eve nt_06723D3102CBA3C001C251476ED_4454844095995131246
has hash matching bzdNc0KW/wb+yG4VNogU3Q==.
Jul 03, 2013 12:46:24 AM
esecurity.ccs.comp.repository.PluginCacheManager isUpToDate
INFO: Local directory
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_plugins\NetIQ_Universal_Eve nt_06723D3102CBA3C001C251476ED_4454844095995131246
has hash value bzdNc0KW/wb+yG4VNogU3Q==.
Jul 03, 2013 12:46:25 AM
esecurity.ccs.comp.evtsrcmgt.collector.util.debugg er.ESECSwingGuiHelper
handleException
SEVERE: Error updating collector script in directory:
C:\Users\steve_zeng\.novell\sentinel\data\control_ center.cache\collector_instances_pluggable\NetIQ_U niversal_Event_8F80C54B1030ACCF000C298EB438\run303 5081115685187335;
Exception SyntaxError: Invalid quantifier ?;
org.mozilla.javascript.EcmaError;
Jul 03, 2013 12:46:25 AM
esecurity.ccs.comp.evtsrcmgt.collector.util.debugg er.ESECSwingGuiHelper
handleException
SEVERE: org.mozilla.javascript.EcmaError: SyntaxError: Invalid
quantifier ?
at
org.mozilla.javascript.ScriptRuntime.constructErro r(ScriptRuntime.java:3785)
at
org.mozilla.javascript.ScriptRuntime.constructErro r(ScriptRuntime.java:3763)
at
org.mozilla.javascript.regexp.NativeRegExp.reportE rror(NativeRegExp.java:2406)
at
org.mozilla.javascript.regexp.NativeRegExp.parseTe rm(NativeRegExp.java:1039)
at
org.mozilla.javascript.regexp.NativeRegExp.parseAl ternative(NativeRegExp.java:490)
at
org.mozilla.javascript.regexp.NativeRegExp.parseDi sjunction(NativeRegExp.java:451)
at
org.mozilla.javascript.regexp.NativeRegExp.compile RE(NativeRegExp.java:323)
at
org.mozilla.javascript.regexp.RegExpImpl.compileRe gExp(RegExpImpl.java:53)
at
org.mozilla.javascript.CodeGenerator.generateRegEx pLiterals(CodeGenerator.java:252)
at
org.mozilla.javascript.CodeGenerator.generateICode FromTree(CodeGenerator.java:157)
at
org.mozilla.javascript.CodeGenerator.generateFunct ionICode(CodeGenerator.java:150)
at
org.mozilla.javascript.CodeGenerator.generateNeste dFunctions(CodeGenerator.java:235)
at
org.mozilla.javascript.CodeGenerator.generateICode FromTree(CodeGenerator.java:155)
at
org.mozilla.javascript.CodeGenerator.compile(CodeG enerator.java:124)
at org.mozilla.javascript.Interpreter.compile(Interpr eter.java:233)
at org.mozilla.javascript.Context.compileImpl(Context .java:2430)
at org.mozilla.javascript.Context.compileString(Conte xt.java:1367)
at org.mozilla.javascript.Context.compileString(Conte xt.java:1356)
at org.mozilla.javascript.Context.evaluateString(Cont ext.java:1108)
at
com.novell.javascript.tools.debugger.Dim$DimIProxy .run(Dim.java:989)
at org.mozilla.javascript.Context.call(Context.java:5 21)
at org.mozilla.javascript.ContextFactory.call(Context Factory.java:535)
at
com.novell.javascript.tools.debugger.Dim$DimIProxy .withContext(Dim.java:1028)
at
com.novell.javascript.tools.debugger.Dim$DimIProxy .access$700(Dim.java:907)
at com.novell.javascript.tools.debugger.Dim.evalScrip t(Dim.java:614)
at
com.novell.javascript.tools.debugger.RunProxy.run( SwingGui.java:2623)
at java.lang.Thread.run(Unknown Source)
================================================== ================================================== ===============
+----------------------------------------------------------------------+
|Filename: control_center0.0.rar |
|Download: https://forums.netiq.com/attachment.php?attachmentid=73 |
+----------------------------------------------------------------------+
steve_zeng
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=48108

Dupe
https://forums.netiq.com/showthread.php?t=48077

Novell vs. Tally Collector

Similar Messages

Maybe you are looking for