Articles  
 

MonitorWare Console - Concept of Parsing

Article created 2005-01-11 by Hamid Ali Raja.

MonitorWare Console is used to analyze the data extracted from either Windows or PIX log files. Parsing is required to extract valuable data from different formats e.g. XML and other user defined formats and return the data which is easier to read and handle. Later the data is displayed to the user using MonitorWare Console.

Currently, MonitorWare Console includes the following parsers:

  • Adiscon Parser for PIX
  • Adiscon Parser for XML
  • Adiscon Parser for Linux / UNIX

    Adiscon Parser for PIX is for PIX reported data that has been gathered by Adiscon Syslog daemon, Adiscon parser for XML is for Windows reported data gathered by Adiscon Syslog daemon and Adiscon Parser for Linux / UNIX is for PIX reported data gathered by Stock Unix / Linux Syslog daemon. Please note that each of these parsers accepts data in a specified format.

    For example, if you try to generate reports on a PIX data reported by a UNIX Syslog daemon using Adiscon Parser for PIX, you will end up in a failure as Adiscon parser for PIX does not support the format in which the data is reported by UNIX daemon.

    It supports the format in which the data is reported by Adiscon products. You can use other products but only if they can report data in the required format.

    Prescribed formats supported for these parsers and their brief description is as under:

    Adiscon Parser for PIX

    Supported Format Sample

    2003-07-09, 00:00:03, 2003-07-09, 00:00:03, 172.19.0.1, 20, 6, Jul 08 2003 21:46:19: %PIX-6-302005: Built UDP connection for faddr 65.200.203.248/7259 gaddr 217.6.190.187/1085 laddr 172.19.0.3/1085

    Explanation

    In the above sample message each information item of an event message is separated from other with a comma. Let us explain each of these in the following lines:

  • 2003-07-09: Date at which it was received.
  • 00:00:04: Time at which it was received.
  • 2003-07-09: Date at which the event was generated.
  • 00:00:03: Time at which the event was generated.
  • 172.19.0.1: IP address of the source that generated the event.
  • 20: Syslog Facility.
  • 6: Syslog Priority.
  • %PIX-6-302005: Built UDP connection for faddr 65.200.203.248/7259 gaddr 217.6.190.187/1085 laddr 172.19.0.3/1085: Message (It is only picked up from "%PIX" till end as it may or may not have the timestamp).

    Adiscon Parser for XML

    Supported Format Sample



    Explanation

  • Event: Contains complete information about the event.
  • IUT: Info unit ID.
  • Timegenerated: Time stamp when the event is received at the Syslog daemon.
  • Timereported: Time stamp when the event was generated at the source.
  • Importance: Importance of the event.
  • Syslogpriority: Priority of a Syslog message.
  • Syslogfacility: Facility of a Syslog message.
  • Syslogtag: Syslog tag value.
  • Source: Name of the source that generated the event message.
  • CustomerID: User assigned numerical value added for quick filtering.
  • SystemID: User assigned numerical value added for quick filtering.
  • Param0: tag contains the value of the parameter.
  • ID: Auto increment value.
  • SeverityID: Severity ID of the Syslog message.
  • Severity: Severity of the Syslog message.
  • Category: Category value from the Windows event log.
  • User: Event user.
  • Sourceproc: Name of the source process that generated the message.
  • Bdata: Binary data associated with an event.
  • Msg: Event message.
  • NTeventlogtype: Name of the Windows event log the event belongs ("System" or "Security").

    Adiscon Parser for Linux / UNIX

    Supported Format Sample

    Dec 3 14:51:52 grffw.adiscon.ne Dec 03 2004 13:19:40: %PIX-6-302005: Built UDP connection for faddr 195.93.61.26/32995 gaddr 217.6.190.187/53 laddr 192.168.0.2/53

    Explanation

    This message has 3 parts:

    1. Dec 3 14:51:52: received at field, this date time format does not contain the year. This is the date time stamp that the parser will pick for time filtering after adding the "Current Year". The parser assumes that the date time will always be in this format.

    2. grffw.adiscon.ne: FromHost field, it tells about the source of the generated event.

    3. Dec 03 2004 13:19:40: %PIX-6-302005: Built UDP connection for faddr 195.93.61.26/32995 gaddr 217.6.190.187/53 laddr 192.168.0.2/53: Message field, this message field may and may not have the timestamp. As such we will only pick up the part of message starting from "%PIX" till end.

    		•
    MonitorWareConsole
     Home
     The Products
    General Information
    MonitorWare Products
    Which one to Purchase?
    Order and Pricing
    Upgrade Insurance Info
    News Releases
    Version History
    Product Tour
     - Screenshots
     Event Repository
     Download
     Reference library
    Common Uses
    Centralized monitoring
    Security Reference
     Help
    Step by Step Guides
    Support
    Manual
    FAQ
     - All
     - General questions
     - Configurations related
     - Monitorware Agent
     - Monitorware Console
    Articles
    Seminars Online
     - All
     - General
     - MonitorWare Console
     - MonitorWare Agent
     - WinSyslog related
     - EventReporter
     Order & pricing
    Order now
    Pricing Information
    Upgrade Insurance Info
    Local Reseller
     Contact Us
     Search
     
     



    Printer Version Send this page to a friend

    Copyright © 1988-2005 Adiscon GmbH All rights reserved.
    Contact us via Secure Web Response | Privacy Policy
    Topic Links: syslog | Free Weblinks Directory