Hi,
I am trying to create an agent policy to receive event from a REST webservice and JSON input.
The JSON file containing sample data looks like this:
{
"event" : {
"msg_txt": "sample message text",
"severity": "sample severity"
}
}
This file can be loaded in the UI, the "/event" root element is found and I can use event/msg_txt in the message attributes.
I am unsure how to submit an event via the webservice.
The curl comes back with status HTTP 200 so the submission seems successful but I am not seeing the event in OBM (I am admin so I guess I can see all events)
$ curl -v -X POST http://<sever FQDN>:30005/bsmc/rest/events/obm_event -H 'Content-Type: application/json' -d '{"event": { "msg_txt", "test message"} }'
* About to connect() to <server FQDN> port 30005 (#0)
* Trying .....
* Connected to <server FQDN> (x.x.x.x) port 30005 (#0)
> POST /bsmc/rest/events/obm_event HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <server FQDN>:30005
> Accept: */*
> Content-Type: application/json
> Content-Length: 40
>
* upload completely sent off: 40 out of 40 bytes
< HTTP/1.1 200 OK
< cache-control: no-cache
< content-length: 0
< content-type: application/octetstream
< date: Fri, 11 Oct 2024 12:06:49 GMT
< senderid: 487269f8-3177-75e3-121f-f1e3b0d36b9a
<
* Connection #0 to host <server FQDN> left intact
I not sure how to submit the event, the part after -d ' ' (I tried various things but no alert)
The policy looks like:
SYNTAX_VERSION 13
GENERIC_SOURCE "JSON_TEST"
DESCRIPTION ""
POLTYPE "xml-ws"
GROUP "ROOT"
GROUP "content"
GROUP "sources"
PARAM "logpath" "obm_event/"
PARAM "content-type" "json"
GROUP "roots"
GROUP "rootPair"
PARAM "root" "/event"
GROUP_END
GROUP_END
PARAM "chSet" "69"
GROUP_END
GROUP "options"
PARAM "isLogMatchedCond" "0"
PARAM "fieldSep" " 	"
PARAM "caseSensitive" "1"
PARAM "isLogMatchedSuppressCond" "0"
PARAM "isLogOnlyUnMatchedMsgToSrv" "0"
PARAM "isForwardUnMatchedMsgToSrv" "1"
PARAM "isLogUnMatchedCond" "0"
GROUP_END
GROUP_END
GROUP_END
DEFAULTMSG
TEXT "TEST JSON + <$DATA:/event/msg_txt>"
Any help much appreciated
(I also activated the "Forward unmatched events to the OBM" option assuming that anything that posts to /obm_events that is not matching the policy would raise an alert but nothing is raised)