.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness Log Collection - Oracle WebLogic Server multiline logging that causes problems with filereader
Issue
1. Oracle WebLogic server sometimes split logs into two lines with EOL as LF for each.
#### Audit Record Begin <05.07.2012 9:31:38> <Severity =INFORMATION> <<<Event Type = RoleManager Audit Event ><Subject: 0 LF
><<jndi>><type=<jndi>, application=, path={weblogic}, action=lookup><>>> Audit Record End #### LF
><<jndi>><type=<jndi>, application=, path={weblogic}, action=lookup><>>> Audit Record End #### LF
2. In /etc/netwitness/ng/logcollection/content/collection/file/oracleweblogic.xml the delimiter found is ####
3. In /etc/netwitness/ng/envision/etc/devices/oracleweblogic/v20_oracleweblogicmsg.xml one of the headers expected is as below, which is different than the log message.
content="%OracleWebLogicAR-4: #### Audit Record Begin <<<hfld1> <hfld2>, <hfld3> <hfld4> <hfld5>> <<Severity =<hfld6>> <<<<<<Event Type = <messageid> <hfld7>> <!payload:hfld1>" />
Cause
Oracle WebLogic Server logs are sometimes modified into different formats other than the standard.
Resolution
- A workaround can be to save the logs in a temporary directory, this can be done from the Agent SFTP shell script.
- Run a cron job to run the following GNU sed one liner, on the files created in the temp directory, then take these files back to the filereader upload directory.
- This sed one liner will turn the multiline logs into single line each to parsed normally.
- The sed one liner to remove the LF at the EOL is as below
cat /tmp/file1 | sed -n -e "H;\${g;s/\n//g;p}" | sed 's/End ####/End ####\n/g' | sed 's/\tPrincipal/ Principal/g'
Notes
- Oracle WebLogic Server logging can be changed, usually using the Log4j as here
Product Details
NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Log Collector
NetWitness Version/Condition: 11.X,12.X
Platform: CentOS 7 / Alma
Approval Reviewer Queue
Technical approval queue