ICDx

 View Only

  • 1.  Question about using the event api

    Posted Aug 07, 2019 02:37 PM

    Hi all,

     

    I'm trying to set up an integration with ICDx and as part of that I make a post to the event api from the docs. When I post to /api/dx/logger/events with my authentication info and my json blob, I get back a 202 response as expected. However, when I go to the search tab on the ICDx server, I'm unable to find my event.

    I don't expect it to have much info, as I'm posting just the minimal required values, but how can I see the event in the ICDx system for verification?

    Regards,

    Spencer Rathbun



  • 2.  RE: Question about using the event api

    Posted Aug 07, 2019 04:29 PM

    Hi Spencer,

    The events should be in the Common Archive. Note that usually it takes a few seconds (~10-25sec) to see the events due to caching.

    Can you share your json blob?

    Roumen



  • 3.  RE: Question about using the event api

    Posted Aug 08, 2019 08:48 AM

    Hi Roumen,

     

    I waited over an hour and checked the Common Archive multiple times, never saw it. This is one of the json blobs I got a 202 returned for.

    {'device_time': 123, 'feature_name': 'Symantec Integration', 'type_id': 1, 'product_name': 'Bluvector', 'message': 'FAIL', 'category_id': 1, 'severity_id': 1, 'id': 4, 'device_name': 'abc'}

    I also uploaded a second blob with a properly generated device_time in case that was causing an issue.

    Thanks!

    Spencer



  • 4.  RE: Question about using the event api
    Best Answer

    Posted Aug 12, 2019 11:37 AM

    Hi Spencer,

    Sorry for the delayed answer. The only thing I can think of is, make sure you have the Content-Type: application/json set. For example:

    POST https://<host-ip>/api/dx/logger/events
    Content-Type: application/json
    Cache-Control: no-cache

    {'device_time': 123, 'feature_name': 'Symantec Integration', 'type_id': 1, 'product_name': 'Bluvector', 'message': 'FAIL', 'category_id': 1, 'severity_id': 1, 'id': 4, 'device_name': 'abc'}
     

    The time atrribute it will not cause the problem.

    Roumen

     



  • 5.  RE: Question about using the event api

    Posted Aug 13, 2019 10:09 AM

    Hi Roumen,

     

    I double checked to make sure I'm using application/json when I send the request. Turned out I was using application/x-www-form-urlencoded so I switched it to application/json and got another 202.

    Now when I got to the search page and check the common archive it gives me an exclamation point and "Error loading event counts" instead of a timeline.

    Checking the server logs, each time I refresh the search, I get this error:

    2019-08-13 10:05:31,667 [Archive Reader-pool-thread-3] WARN  com.symantec.archiver.ArchiveFinderModule - Archive file read error: /data/symantec/icdx/archives/default/2019/08/13/1565697837144 has invalid version: 587397233
    java.io.IOException: /data/symantec/icdx/archives/default/2019/08/13/1565697837144 has invalid version: 587397233
            at com.symantec.archive.idx.NameReader.<init>(NameReader.java:61)
            at com.symantec.archive.idx.NameReader.<init>(NameReader.java:45)
            at com.symantec.archive.idx.NameReader.getFieldTable(NameReader.java:74)
            at com.symantec.archive.RevEventInputStream.open(RevEventInputStream.java:94)
            at com.symantec.archive.RevEventInputStream.<init>(RevEventInputStream.java:56)
            at com.symantec.archive.ArchiveFinder.createEventInput(ArchiveFinder.java:315)
            at com.symantec.archive.MultiArchiveFinder.createEventInput(MultiArchiveFinder.java:53)
            at com.symantec.archiver.ArchiveFinderModule.timeSpan(ArchiveFinderModule.java:952)
            at com.symantec.archiver.ArchiveFinderModule.histogram(ArchiveFinderModule.java:782)
            at com.symantec.archiver.ArchiveFinderModule.execute(ArchiveFinderModule.java:234)
            at com.symantec.archiver.ArchiveFinderModule.lambda$consume$0(ArchiveFinderModule.java:114)
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
            at java.util.concurrent.FutureTask.run(FutureTask.java:266)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at java.lang.Thread.run(Thread.java:748)


    Looks like it is trying to read some data now and failing for some reason. So we've got progress! Just need to figure out what this error means.

     

    Thanks,

    Spencer

     



  • 6.  RE: Question about using the event api

    Posted Aug 18, 2019 04:57 PM

    Sorry, it is a bit crazy around here.

    This error means that archive has some bad data. So, let clean up the archives: ssh to the icdx machine, stop the launcher_dx service, delete the default archive, and then start the launcher_dx service. As root run:

    systemctl stop launcher_dx
rm -fr /data/symantec/icdx/archives/default/2019
systemctl start launcher_dx

    Send some data and check again. Let me know how it goes.

    Roumen



  • 7.  RE: Question about using the event api

    Posted Aug 19, 2019 02:03 PM

    That resolved the problem Roumen, my data now shows up.

    Thanks for all the help!

    Spencer



  • 8.  RE: Question about using the event api

    Posted Aug 19, 2019 06:41 PM

    You are welcome. BTW, do you have access to the API docs?

    Roumen