community.microfocus.com
Open in
urlscan Pro
34.226.1.205
Public Scan
Submitted URL: https://community.microfocus.com/cyberres/arcsight/f/arcsight-discussions/79969/no-empty-message-id-submessage-defined-and-no-sub...
Effective URL: https://community.microfocus.com/cyberres/arcsight/f/discussions/79969/no-empty-message-id-submessage-defined-and-no-submessage-d...
Submission: On January 18 via manual from RU — Scanned from DE
Effective URL: https://community.microfocus.com/cyberres/arcsight/f/discussions/79969/no-empty-message-id-submessage-defined-and-no-submessage-d...
Submission: On January 18 via manual from RU — Scanned from DE
Form analysis 4 forms found in the DOM
<form>
<fieldset class="search" id="header-153_searchFields">
<ul class="field-list">
<li class="field-item">
<span class="field-item-description hidden">
<label>Search</label>
</span>
<span class="field-item-input">
<input autocomplete="off" type="search" placeholder="Search" aria-label="Search" id="header-153_Search" value="">
</span>
</li>
</ul>
</fieldset>
</form><form>
<fieldset class="search sdlsearchspanf" id="header-155_searchFields">
<ul class="field-list">
<li class="field-item search-overlay-input">
<span class="field-item-description hidden">
<label>Explore Community</label>
</span>
<span class="field-item-input" id="sdlsearchspan">
<input autocomplete="off" type="search" placeholder="Explore Community" aria-label="Explore Community" id="header-155_Search" value="">
</span>
</li>
</ul>
</fieldset>
</form><form>
<div id="mceu_8" class="mce-tinymce mce-container mce-panel mce-editor-submittable mce-editor-desktop mce-editor-blur mce-submitpanel-narrow" hidefocus="1" tabindex="-1" role="application"
style="visibility: hidden; border-width: 1px; height: auto; overflow: visible;">
<div id="mceu_8-body" class="mce-container-body mce-stack-layout">
<div id="mceu_9" class="mce-container mce-menubar mce-toolbar mce-stack-layout-item mce-first" role="menubar" style="border-width: 0px 0px 1px; display: none;">
<div id="mceu_9-body" class="mce-container-body mce-flow-layout">
<div id="mceu_10" class="mce-widget mce-btn mce-menubtn mce-flow-layout-item mce-first mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_10" role="menuitem" aria-haspopup="true"><button id="mceu_10-open" role="presentation"
type="button" tabindex="-1"><span class="mce-txt">Edit</span> <i class="mce-caret"></i></button></div>
<div id="mceu_11" class="mce-widget mce-btn mce-menubtn mce-flow-layout-item mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_11" role="menuitem" aria-haspopup="true"><button id="mceu_11-open" role="presentation" type="button"
tabindex="-1"><span class="mce-txt">Insert</span> <i class="mce-caret"></i></button></div>
<div id="mceu_12" class="mce-widget mce-btn mce-menubtn mce-flow-layout-item mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_12" role="menuitem" aria-haspopup="true"><button id="mceu_12-open" role="presentation" type="button"
tabindex="-1"><span class="mce-txt">Format</span> <i class="mce-caret"></i></button></div>
<div id="mceu_13" class="mce-widget mce-btn mce-menubtn mce-flow-layout-item mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_13" role="menuitem" aria-haspopup="true"><button id="mceu_13-open" role="presentation" type="button"
tabindex="-1"><span class="mce-txt">Table</span> <i class="mce-caret"></i></button></div>
<div id="mceu_14" class="mce-widget mce-btn mce-menubtn mce-flow-layout-item mce-last mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_14" role="menuitem" aria-haspopup="true"><button id="mceu_14-open" role="presentation" type="button"
tabindex="-1"><span class="mce-txt">Tools</span> <i class="mce-caret"></i></button></div>
</div>
</div>
<div id="mceu_18" class="mce-edit-area mce-container mce-panel mce-stack-layout-item mce-last" hidefocus="1" tabindex="-1" role="group" style="border-width: 0px 0px 1px; position: relative;"><iframe id="fragment-295_fragment-295_editor_ifr"
frameborder="0" allowtransparency="true" title="Rich Text Area. Press ALT-F9 for menu. Press ALT-F10 for toolbar. Press ALT-0 for help" src="javascript:""" style="width: 100%; height: 60px; display: block;"></iframe>
<div style="position: absolute; top: 0px; left: 0px;">
<div class="mceDragDropShade" style="position: absolute; display: none; left: 0px; top: 0px;"></div>
<div class="mceDragDropMessage" style="position: absolute; display: none; left: 0px; top: 0px;"></div>
</div>
</div>
<div id="mceu_15" class="mce-toolbar-grp mce-container mce-panel mce-stack-layout-item" hidefocus="1" tabindex="-1" role="group">
<div id="mceu_15-body" class="mce-container-body mce-stack-layout">
<div id="mceu_16" class="mce-container mce-toolbar mce-stack-layout-item mce-first mce-last" role="toolbar">
<div id="mceu_16-body" class="mce-container-body mce-flow-layout">
<div id="mceu_17" class="mce-container mce-flow-layout-item mce-first mce-last mce-btn-group" role="group" style="width: 100%;">
<div id="mceu_17-body" style="white-space: normal;">
<div id="mceu_0" class="mce-widget mce-btn mce-menubtn mce-first mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_0" role="button" aria-haspopup="true"><button id="mceu_0-open" role="presentation" type="button"
tabindex="-1"><span class="mce-txt">Edit</span> <i class="mce-caret"></i></button></div>
<div id="mceu_1" class="mce-widget mce-btn mce-menubtn mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_1" role="button" aria-haspopup="true"><button id="mceu_1-open" role="presentation" type="button" tabindex="-1"><span
class="mce-txt">Insert</span> <i class="mce-caret"></i></button></div>
<div id="mceu_2" class="mce-widget mce-btn mce-menubtn mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_2" role="button" aria-haspopup="true"><button id="mceu_2-open" role="presentation" type="button" tabindex="-1"><span
class="mce-txt">Format</span> <i class="mce-caret"></i></button></div>
<div id="mceu_3" class="mce-widget mce-btn mce-menubtn mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_3" role="button" aria-haspopup="true"><button id="mceu_3-open" role="presentation" type="button" tabindex="-1"><span
class="mce-txt">Table</span> <i class="mce-caret"></i></button></div>
<div id="mceu_4" class="mce-widget mce-btn mce-menubtn mce-btn-has-text" tabindex="-1" aria-labelledby="mceu_4" role="button" aria-haspopup="true"><button id="mceu_4-open" role="presentation" type="button" tabindex="-1"><span
class="mce-txt">Tools</span> <i class="mce-caret"></i></button></div>
<div id="mceu_5" class="mce-widget mce-btn" tabindex="-1" aria-labelledby="mceu_5" role="button" aria-label="Bullet list"><button role="presentation" type="button" tabindex="-1"><i class="mce-ico mce-i-bullist"></i></button></div>
<div id="mceu_6" class="mce-widget mce-btn" tabindex="-1" aria-labelledby="mceu_6" role="button" aria-label="Numbered list"><button role="presentation" type="button" tabindex="-1"><i class="mce-ico mce-i-numlist"></i></button></div>
<div id="mceu_7" class="mce-widget mce-submitpanel mce-last" role="presentation" aria-haspopup="false"><span class="suggest-field"><input type="checkbox" id="fragment-295_suggest" class="suggest"><label
for="fragment-295_suggest">Suggest as Answer</label></span>
<div class="mce-widget mce-btn mce-primary mce-btn-has-text mce-submitpanel-button" id="mceu_7_send" tabindex="0" role="button"><button style="width:100%; height:100%;" tabindex="-1" type="button"><span
class="mce-txt">Reply</span></button></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div style="position: absolute; z-index: -1; height: 1px; width: 1px; overflow: hidden;"></div>
</div><input type="file" multiple="" accept="" style="display: none;"><textarea id="fragment-295_fragment-295_editor" style="display: none;" aria-hidden="true"></textarea>
<script type="text/javascript">
jQuery(function() {
jQuery('#fragment-295_fragment-295_editor').evolutionHtmlEditor({
width: '100%',
height: '60px',
submittable: true,
contentTypeId: 'f586769b-0822-468a-b7f3-a94d480ed9b0',
enterToSubmitPrompt: 'Enter to Reply',
submitLabel: 'Reply',
beforeSubmitHtml: '\u003cspan class=\"suggest-field\"\u003e\u003cinput type=\"checkbox\" id=\"fragment-295_suggest\" class=\"suggest\" /\u003e\u003clabel for=\"fragment-295_suggest\"\u003eSuggest as Answer\u003c/label\u003e\u003c/span\u003e',
afterSubmitHtml: '',
placeholder: '',
autoResize: true
}).on('evolutionHtmlEditorSubmit', function(e) {
(function() {
jQuery.telligent.evolution.messaging.publish('telligent.evolution.widgets.thread.submit', {
from: 'fragment-295-nested'
});
})(e.html);
});
});
</script>
</form>POST //translate.googleapis.com/translate_voting?client=te
<form id="goog-gt-votingForm" action="//translate.googleapis.com/translate_voting?client=te" method="post" target="votingFrame" class="VIpgJd-yAWNEb-hvhgNd-aXYTce"><input type="text" name="sl" id="goog-gt-votingInputSrcLang"><input type="text"
name="tl" id="goog-gt-votingInputTrgLang"><input type="text" name="query" id="goog-gt-votingInputSrcText"><input type="text" name="gtrans" id="goog-gt-votingInputTrgText"><input type="text" name="vote" id="goog-gt-votingInputVote"></form>Text Content
OpenText Community for Micro Focus products
* Site
* Search
* User
* Site
* Search
* User
OpenText Community for Micro Focus products
* Blogs
* Community Guide
*
MENU
×
1. Welcome
Welcome
×
1. Getting Started Guide
2. Knowledge Partner Program
2. Application Modernization
Application Modernization
×
1. ChangeMan ZMF
2. CORBA
3. Extend AcuCOBOL
4. Mainframe Access
5. Micro Focus COBOL Analyzer
6. Micro Focus Enterprise Suite
7. Micro Focus Visual COBOL
8. Net Express/Server Express
9. RM/COBOL
3. Content Management
Content Management
×
1. Content Manager
4. Cybersecurity
Cybersecurity
×
1. Cybersecurity User Group
2. Cybersecurity Technical Enablement
3. ArcSight
4. Fusion
5. File Dynamics
6. File Reporter
7. Fortify
8. Galaxy
9. NetIQ Access Manager
10. NetIQ AD Bridge
11. NetIQ Advanced Authentication
12. NetIQ Change Guardian
13. NetIQ Data Access Governance
14. NetIQ Directory & Resource Administrator
15. NetIQ eDirectory
16. NetIQ Group Policy Administrator
17. NetIQ Identity Governance
18. NetIQ Identity Manager
19. NetIQ LDAP Proxy
20. NetIQ Privileged Account Manager
21. NetIQ Risk Service
22. NetIQ Secure API Manager
23. NetIQ Secure Configuration Manager
24. NetIQ SecureLogin
25. NetIQ Security Solutions for IBM i
26. NetIQ Self Service Password Reset
27. NetIQ Validator
28. PlateSpin
29. SecureData
30. SecureMail
31. Sentinel
32. Structured Data Manager
33. Voltage
5. DevOps Cloud (ADM)
DevOps Cloud (ADM)
×
1. AccuRev
2. Agile Manager
3. ALM Octane ValueEdge
4. ALM Quality Center
5. Business Process Testing
6. Deployment Automation
7. Dimensions CM
8. Dimensions RM
9. LoadRunner Cloud
10. LoadRunner Enterprise
11. LoadRunner Professional
12. Micro Focus Connect
13. Project and Portfolio Mgmt.
14. PulseUno
15. PVCS Version Manager
16. Release Control
17. Requirements Management
18. Service Virtualization
19. Silk Central
20. Silk Performer
21. Silk Test
22. StarTeam
23. UFT Developer
24. UFT Digital Lab
25. UFT One
6. IT Operations Cloud
IT Operations Cloud
×
1. Asset Manager & Connect-IT
2. Data Center Automation
3. Discovery and CMDB
4. Hybrid Cloud Management
5. Hybrid Cloud Management X
6. Network Operations Management
7. Operations Bridge
8. Operations Orchestration
9. OPTIC (ITOM Platform)
10. Robotic Process Automation
11. Service Manager
12. SMAX Suite
13. Solutions Business Manager
7. Portfolio
Portfolio
×
1. Connected: Backup
2. ControlPoint
3. Data Protector
4. Filr
5. GroupWise Products
6. iPrint
7. Open Enterprise Server
8. Retain Unified Archiving
9. Storage Manager
10. Vibe
11. VM Explorer
12. ZENworks Suite
8. Unstructured Data Analytics
Unstructured Data Analytics
×
1. IDOL
2. Vertica
9. OpenText Marketplace
10. News from Support
11. Technical Insights Series
* ▼
* User
Site Explore Community User
* Explore Community
Community Home › Cybersecurity › OpenText ArcSight › ArcSight User
Discussions
ARCSIGHT USER DISCUSSIONS
* Home
* Announcements
* Discussions
* Idea Exchange
* Tips & Info
* Version Currency
* Cybersecurity Blog
* News & Events
* New
*
*
*
* State Verified Answer
* Replies reply
1
* Subscribers subscribers
23
* Views views
888
* Users 0 members are here
* Locked Locked
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question
you can start a new discussion
NO EMPTY MESSAGE ID SUBMESSAGE DEFINED AND NO SUBMESSAGE DESCRIPTION FOUND FOR
MESSAGEID
guido.moscarell over 7 years ago
Hi expert,
problem with parser...any could help?
xxx_syslog.subagent.sdkrfilereader.properties file:
replace.defaults=true
trim.tokens=true
comments.start.with=#
#FireEyeMSM[4786]: tid 2416: [java.NOTICE]: JavaProcess: Invalid login attempted
by user: xxx@xxx.xxx
regex=FireEyeMSM\\[\\d ]: tid (\\d ): (.*)
token.count=2
token[0].name=FireEye_ID
token[0].type=Integer
token[1].name=message
token[1].type=String
additionaldata.enabled=false
event.deviceVendor=__stringConstant(FireEye)
event.deviceProduct=__stringConstant(MTP)
event.deviceCustomNumber1=FireEye_ID
event.message=message
submessage.messageid.token=FireEye_ID
submessage.token=message
submessage.count=3
#[java.NOTICE]: JavaProcess: Invalid login attempted by user: xxx@xxx.xxx
submessage[0].messageid=Invalid_login
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=\\[java.(\\w )\\]\\S \\s JavaProcess:\\s
Invalid\\s login\\s attempted\\s by\\s user:\\s (\\w )@(\\S )
submessage[0].pattern[0].fields=event.name,event.sourceUserName,event.sourceNtDomain
submessage[0].pattern[0].mappings=undefined|undefined|undefined
#[java.WARNING]: JavaProcess: Login
fail:(AuthenticationException)org.apache.shiro.authc.UsernamePasswordToken -
xxx@xxx.xxx, rememberMe=false
submessage[1].messageid=Login_fail
submessage[1].pattern.count=1
submessage[1].pattern[0].regex=\\[java.(\\w )\\]\\:\\s JavaProcess\\:\\s
Login\\s
fail:\\(AuthenticationException\\)org\\.apache\\.shiro\\.authc\\.UsernamePasswordToken\\s
-\\s (\\w )\\@(\\w \\.\\w ).*
submessage[1].pattern[0].fields=event.name,event.sourceUserName,event.sourceNtDomain
submessage[1].pattern[0].mappings=undefined|undefined|undefined
#[java.NOTICE]: JavaProcess: MSM-AUDIT: xxx@xxx.xxx|Login|User|xxx@xxx.pri|Fail|
submessage[2].messageid=Fail
submessage[2].pattern.count=1
submessage[2].pattern[0].regex=\\[java.(\\w )\\]:\\s JavaProcess:\\s
MSM-AUDIT:\\s (\\w )@(\\w .\\w ).*
submessage[2].pattern[0].fields=event.name,event.sourceUserName,event.sourceNtDomain
submessage[2].pattern[0].mappings=undefined|undefined|undefined
Logs:
[2017-03-10 12:11:28,195][WARN
][default.com.arcsight.agent.sdk.d.n][parseTokensNow] No empty message id
submessage defined and no submessage description found for messageid [2428]
message [[java.NOTICE]: JavaProcess: Invalid login attempted by user:
xxx@xxx.xxx]
[2017-03-10 12:11:28,196][WARN
][default.com.arcsight.agent.sdk.d.n][parseTokensNow] No empty message id
submessage defined and no submessage description found for messageid [54]
message [[java.NOTICE]: JavaProcess: MSM-AUDIT:
co77777@eni.pri|Login|User|xxx@xxx.xxx|Fail|]
[2017-03-10 12:11:28,197][WARN
][default.com.arcsight.agent.sdk.d.n][parseTokensNow] No empty message id
submessage defined and no submessage description found for messageid [2428]
message [[java.WARNING]: JavaProcess: Login
fail:(AuthenticationException)org.apache.shiro.authc.UsernamePasswordToken -
xxx@xxx.xxx, rememberMe=false]
The regex are not beautiful but they seem to work (have been successfully tested
with quickFlex)...
Thanks to all
TAGS:
submessage
fireeye
regex flex connector
smart connector troubleshooting
flexconnector
quick flex connectors
smart connector
syslog flexconnector
UBA
* All Replies
* Answers
* Oldest
* Votes
* Newest
* VERIFIED ANSWER
0 Shaun over 7 years ago
You are instructing it to use "FireEye_ID" as the messageid token. That
messageid token contains the integer after "tid".
Your submessages are then looking for a alphanumeric "action" as the
messageid rather than the tid.
Edit
Insert
Format
Table
Tools
Edit
Insert
Format
Table
Tools
Suggest as Answer
Reply
RESOURCES
Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
Follow Us
Copyright © 2023 Open Text
The opinions expressed above are the personal opinions of the authors, not of
OpenText. By using this site, you accept the Terms of Use. Certain versions of
content ("Material") accessible here may contain branding from Hewlett-Packard
Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of
January 31, 2023, the Material is now offered by OpenText, a separately owned
and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE,
and Micro Focus marks is historical in nature and the HP, Hewlett Packard
Enterprise/HPE, and Micro Focus marks are the property of their respective
owners.
Originaltext
Diese Übersetzung bewerten
Mit deinem Feedback können wir Google Übersetzer weiter verbessern
Quote