7 replies to this topic

[luca.casarini]

We receive a 400 Bad Request error as shown as well as an XML parsing error related to the DateTime, the rsyslog.conf on the relevant machine is configured correctly as in documentation. We have tried diagnosing possible causes to no avail. There is no data loaded within Netwrix itself. SQL services seem to be configured correctly.

 

Attached relevant files including log.

2/27/2019 1:42:30 PM [SENDER][ERROR] (LOCALHOST) The remote server returned an error: (400) Bad Request.
<?xml version="1.0" standalone="yes"?>
<ErrorList xmlns="http://schemas.netwrix.com/api/v1/">
	<Error>
		<Category>XMLError</Category>
		<Description>Error parsing '2019-0227T12:42:24Z' as dateTime datatype.
The element '{http://schemas.netwrix.com/api/v1/activity_records/}When' with value '2019-0227T12:42:24Z' failed to parse.
</Description>
	</Error>
	<Error>
		<Category>XMLError</Category>
		<Description>Validate failed.
</Description>
	</Error>
</ErrorList>

Attached Files

•  SyslogService.log.txt   5.65KB   0 downloads
•  SyslogService.exe.config.txt   234bytes   0 downloads
•  settings.xml   3.36KB   0 downloads
•  genericlinux.xml   6.73KB   0 downloads

[Kirill K]

Hi there,

 

What is the linux editon and version on the server with syslog daemon?

[luca.casarini]

Hi there,

 

What is the linux editon and version on the server with syslog daemon?

 

CentOS 7

[Kirill K]

The syslog messages of CentOS 7 cannot be parsed because there are no predefined regexp rules in genericlinux.xml, you may also check the documentation and make sure CentOS 7 is not listed as predefined.

 

You should edit genericlinux.xml yourself and add corresponding regexp rules similar way as they are already added for supported unix OS.

[luca.casarini]

As noted previously, the parsing from the rsyslog host machine is not the issue, rather the parsing of the received DateTime value from the parser to the local SQL server (2019-0227T12:42:24Z). 

 

The syslog messages of CentOS 7 cannot be parsed because there are no predefined regexp rules in genericlinux.xml, you may also check the documentation and make sure CentOS 7 is not listed as predefined.

 

You should edit genericlinux.xml yourself and add corresponding regexp rules similar way as they are already added for supported unix OS.

 

[Kirill K]

You should uncomment the following line in genericlinux.xml:

<TimestampFormat>yyyy-MM-ddTHH:mm:ss.ffffffzzz</TimestampFormat>

 

Then change the value of timestamp so that parser might be able to recognize the date/time value.

 

In order to apply new changes you should restart the 'Netwrix Auditor Syslog Message Processing Service'

[luca.casarini]

 

You should uncomment the following line in genericlinux.xml:

<TimestampFormat>yyyy-MM-ddTHH:mm:ss.ffffffzzz</TimestampFormat>

 

Then change the value of timestamp so that parser might be able to recognize the date/time value.

 

In order to apply new changes you should restart the 'Netwrix Auditor Syslog Message Processing Service'

 

I have already done so as can be noted in the attached genericlinux.xml file, which is why I don't understand it not working. The parser regex is correctly receiving timestamps.

[luca.casarini]

I have resolved this issue by changing the "Z" in settings.xml to "zzz".