Jump to content


Photo

Generic Linux Add-ons (Syslog) error, 400 bad request and XML parsing error.


  • Please log in to reply
7 replies to this topic

#1 luca.casarini

luca.casarini

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 27 February 2019 - 03:22 PM

We receive a 400 Bad Request error as shown as well as an XML parsing error related to the DateTime, the rsyslog.conf on the relevant machine is configured correctly as in documentation. We have tried diagnosing possible causes to no avail. There is no data loaded within Netwrix itself. SQL services seem to be configured correctly.

 

Attached relevant files including log.

2/27/2019 1:42:30 PM [SENDER][ERROR] (LOCALHOST) The remote server returned an error: (400) Bad Request.
<?xml version="1.0" standalone="yes"?>
<ErrorList xmlns="http://schemas.netwrix.com/api/v1/">
	<Error>
		<Category>XMLError</Category>
		<Description>Error parsing '2019-0227T12:42:24Z' as dateTime datatype.
The element '{http://schemas.netwrix.com/api/v1/activity_records/}When' with value '2019-0227T12:42:24Z' failed to parse.
</Description>
	</Error>
	<Error>
		<Category>XMLError</Category>
		<Description>Validate failed.
</Description>
	</Error>
</ErrorList>

Attached Files



#2 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 106 posts
  • Gender:Male

Posted 27 February 2019 - 03:30 PM

Hi there,

 

What is the linux editon and version on the server with syslog daemon?


Best regards,
Forum Engineer
 


#3 luca.casarini

luca.casarini

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 27 February 2019 - 04:02 PM

Hi there,

 

What is the linux editon and version on the server with syslog daemon?

 

CentOS 7



#4 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 106 posts
  • Gender:Male

Posted 28 February 2019 - 07:36 AM

The syslog messages of CentOS 7 cannot be parsed because there are no predefined regexp rules in genericlinux.xml, you may also check the documentation and make sure CentOS 7 is not listed as predefined.
 
You should edit genericlinux.xml yourself and add corresponding regexp rules similar way as they are already added for supported unix OS.

Best regards,
Forum Engineer
 


#5 luca.casarini

luca.casarini

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 04 March 2019 - 10:19 AM

As noted previously, the parsing from the rsyslog host machine is not the issue, rather the parsing of the received DateTime value from the parser to the local SQL server (2019-0227T12:42:24Z). 

 

The syslog messages of CentOS 7 cannot be parsed because there are no predefined regexp rules in genericlinux.xml, you may also check the documentation and make sure CentOS 7 is not listed as predefined.
 
You should edit genericlinux.xml yourself and add corresponding regexp rules similar way as they are already added for supported unix OS.

 



#6 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 106 posts
  • Gender:Male

Posted 07 March 2019 - 10:11 AM

You should uncomment the following line in genericlinux.xml:

<TimestampFormat>yyyy-MM-ddTHH:mm:ss.ffffffzzz</TimestampFormat>
 
Then change the value of timestamp so that parser might be able to recognize the date/time value.
 
In order to apply new changes you should restart the 'Netwrix Auditor Syslog Message Processing Service'

Best regards,
Forum Engineer
 


#7 luca.casarini

luca.casarini

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 11 March 2019 - 07:14 AM

 

You should uncomment the following line in genericlinux.xml:

<TimestampFormat>yyyy-MM-ddTHH:mm:ss.ffffffzzz</TimestampFormat>
 
Then change the value of timestamp so that parser might be able to recognize the date/time value.
 
In order to apply new changes you should restart the 'Netwrix Auditor Syslog Message Processing Service'

 

I have already done so as can be noted in the attached genericlinux.xml file, which is why I don't understand it not working. The parser regex is correctly receiving timestamps.



#8 luca.casarini

luca.casarini

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 11 March 2019 - 08:33 AM

I have resolved this issue by changing the "Z" in settings.xml to "zzz".






0 user(s) are reading this topic

0 members, guests, anonymous users