1 Reply Latest reply on Apr 5, 2016 7:18 PM by rgarrett

    Problem with Weblogic logs

    adamp

      Hello,

       

      Has anyone parsing aplication Weblogic logs? I have problem with correct send logs to Mcafee SIEM. I used Mcafee SIEM collector. Bottom I pasted my configuration. Logs send to SIEM but orignal logs have some lines from other logs in parsing log which should have two line. Parsing is correct.

      Below example bad send log, I pasted from SIEM column Packet :

       

      "WPPM_PROVIDER:WP5_PROD WPPM_BL_PROVIDER_INSTANCE:ST_PROD INFO  [15-03-2016 10:58:04.651] (WebMethodsProviderPayload.java:341) invocationXML [id_pinstance=15019912,id_user=626420,id_process=7791102,pr_name=xxxxxxx,provid er=xxxxxx,timeMarker=2016-03-15 10:58:04]"

       

      I marked red color part log which can't be in this log. What method do you recommend to retrieve multiline logs variable structure ?

       

      Example log:

      INFO  [15-03-2016 04:13:38.950] (WppmEngineDAO.java:776)

          logBLRequest idPinstance:15017219

      991100102 TIME_STOPPER: 2016-03-15 04:13:33.999; 2016-03-15 04:13:38.950; LAP_TIME: 1458011613999; 1458011618950; 4951ms

      INFO  [15-03-2016 04:13:38.978] (WppmEngineDAO.java:799)

          991100102_TIME_STOPPER: 2016-03-15 04:13:38.950; 2016-03-15 04:13:38.978; LAP_TIME: 1458011618950; 1458011618978; 28ms

      INFO  [15-03-2016 04:13:38.982] (BLProviderFactory.java:26)

          BLProviderFactory.getBLProvider:PROVIDER_TYPE_WEBMETHODS

      INFO  [15-03-2016 04:13:38.982] (WebMethodsProviderPayload.java:66)

          WPPM_PROVIDER:WP5_PROD

      WPPM_BL_PROVIDER_INSTANCE:ST_PROD

      INFO  [15-03-2016 04:13:38.982] (WebMethodsProviderPayload.java:341)

         

      invocationXML [id_pinstance=15017219,id_user=176118,id_process=7790201,pr_name=xxxxxx,provide r=xxxxx,timeMarker=2016-03-15 04:13:38]

      >>>>

      <?xml version="1.0" encoding="UTF-8"?>

      <fb564in:fb564InParameters xmlns:fb564in="http://www.xxxxxxxx.pl/i/fb564in">

        <fb564in:policy>

          <gb:policyID xmlns:gb="http://www.xxxxxxxxx.pl/is">875765</gb:policyID>

        </fb564in:policy>

      </fb564in:fb564InParameters>

       

       

      <<<<

       

      INFO  [15-03-2016 04:13:39.762] (WebMethodsProviderPayload.java:352)

         

      responseXML [id_pinstance=15017219,id_user=176118,id_process=7790201,pr_name=xxxxxx,provide r=xxxxxx,timeMarker=2016-03-15 04:13:38]

      >>>>

      <?xml version="1.0" encoding="UTF-8"?>

      <fb564out:fb564OutParameters xmlns:fb564out="http://www.xxxxx.pl/fb564out">

        <fb564out:response>

          <gb:responseStatus xmlns:gb="http://www.xxxxxx.pl/i">0</gb:responseStatus>

        </fb564out:response>

        <fb564out:riskList>

          <fb564out:risk>

            <gb:conditionStatus xmlns:gb="http://www.xxxxx.pl/i">C</gb:conditionStatus>

            <gb:isOptional xmlns:gb="http://www.xxx.pl/i">0</gb:isOptional>

            <gb:riskCode xmlns:gb="http://www.xxx.pl/isr">xxx</gb:riskCode>

            <gb:riskName xmlns:gb="http://www.xxxx.pl/i">xxxxgo</gb:riskName>

            <gb:riskDesc xmlns:gb="http://www.xxxx.pl/i">xxxt: