cancel
Showing results for 
Search instead for 
Did you mean: 

Appsense logs

Hi experts,

We are getting logs from an application called Appsense. We are using custom parser for collecting the logs. We are seeing an unusual thing in the logs. for example in the details section, the field says

Fisrt time: 05/23/17 15.30  LAst Time : 05/23/17 2.30 .

What can be the reason. Is there any issue with the parser. What is the last time signifies here.

Please help me here

Thanks

Biswa

34 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 35

Re: Appsense logs

copy your custom parser and show us. Some of us can review your parser. And please a santized raw log

It seems this is a problem from the parser.

Re: Appsense logs

Hi,

Thanks a lot for responding.

I have apasted the parser and a dump of the log file. Can you please suggest the changes.

Thanks

Biswa

Highlighted
xded
Level 12
Report Inappropriate Content
Message 4 of 35

Re: Appsense logs

Hi Biswa,

i can only estimate. Take a look on the Datasource and check the time settings.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 5 of 35

Re: Appsense logs

you got those appsense logs to SIEM via WMI pull? They are part of the application logs?

I thought you can't create custom parsers for WMI, only for syslog type stuff.

Re: Appsense logs

Hi all, no we are iporting it as a file reader receiver. The recweiver is colelcting the logs from a mount location by CIFS pull.

Re: Appsense logs

The logs are being pulled as by a file reader receiver. The logs are being dumped by the application in a shared folder and receiver collects by CIFS pull.Right now, we  are not receiving logs at all from this application, though we can see logs being written to the shared folder.

We have checked the receiver config lso which seems to be fine. Can anyone please advise what can be the issue.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 8 of 35

Re: Appsense logs

Is the CIFSs credential still valid? Maybe the bookmark file is corrupted, which you can try to disable and re-enable the data source again or create a new one to reset the bookmark file?

Re: Appsense logs

That seems to be a good idea.Since this is a CIFS share, where can I check the bookmark file. I just checked the expiry date for the service account that we are using for fetching the logs and it is set to never expire.Some changes were made to the acct, but the issue had started much before that.

when you say diable and re-enable the data source, do you mean reconfiguring the data source all over again?

Thanks you so much for your help.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 10 of 35

Re: Appsense logs

WMI data sources have bookmarks, syslog doesn't I think. I believe CIFS type also got one, so it knows where left off last time. Yeah, uncheck parsing and logging, write out, and re-enable parsing again.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community