1 2 3 4 Previous Next 34 Replies Latest reply on Sep 21, 2017 2:34 AM by biswabhusan

    Appsense logs

    biswabhusan

      Hi experts,

      We are getting logs from an application called Appsense. We are using custom parser for collecting the logs. We are seeing an unusual thing in the logs. for example in the details section, the field says

      Fisrt time: 05/23/17 15.30  LAst Time : 05/23/17 2.30 .

      What can be the reason. Is there any issue with the parser. What is the last time signifies here.

      Please help me here

      Thanks

      Biswa

        • 1. Re: Appsense logs
          xded

          copy your custom parser and show us. Some of us can review your parser. And please a santized raw log

           

          It seems this is a problem from the parser.

          • 2. Re: Appsense logs
            biswabhusan

            Hi,

            Thanks a lot for responding.

             

            I have apasted the parser and a dump of the log file. Can you please suggest the changes.

             

            Thanks

            Biswa

            • 3. Re: Appsense logs
              xded

              Hi Biswa,

               

              i can only estimate. Take a look on the Datasource and check the time settings.

              • 4. Re: Appsense logs
                sssyyy

                you got those appsense logs to SIEM via WMI pull? They are part of the application logs?

                I thought you can't create custom parsers for WMI, only for syslog type stuff.

                • 5. Re: Appsense logs
                  biswabhusan

                  Hi all, no we are iporting it as a file reader receiver. The recweiver is colelcting the logs from a mount location by CIFS pull.

                  • 6. Re: Appsense logs
                    biswabhusan

                    The logs are being pulled as by a file reader receiver. The logs are being dumped by the application in a shared folder and receiver collects by CIFS pull.Right now, we  are not receiving logs at all from this application, though we can see logs being written to the shared folder.

                    We have checked the receiver config lso which seems to be fine. Can anyone please advise what can be the issue.

                    • 7. Re: Appsense logs
                      sssyyy

                      Is the CIFSs credential still valid? Maybe the bookmark file is corrupted, which you can try to disable and re-enable the data source again or create a new one to reset the bookmark file?

                      1 of 1 people found this helpful
                      • 8. Re: Appsense logs
                        biswabhusan

                        That seems to be a good idea.Since this is a CIFS share, where can I check the bookmark file. I just checked the expiry date for the service account that we are using for fetching the logs and it is set to never expire.Some changes were made to the acct, but the issue had started much before that.

                        when you say diable and re-enable the data source, do you mean reconfiguring the data source all over again?

                        Thanks you so much for your help.

                        • 9. Re: Appsense logs
                          sssyyy

                          WMI data sources have bookmarks, syslog doesn't I think. I believe CIFS type also got one, so it knows where left off last time. Yeah, uncheck parsing and logging, write out, and re-enable parsing again.

                          1 2 3 4 Previous Next