Send JSON event through Agent

Hi,

I am trying to create an agent policy to receive event from a REST webservice and JSON input.

The JSON file containing sample data looks like this:

{
  "event" : {
    "msg_txt": "sample message text",
    "severity": "sample severity"
  }
}

This file can be loaded in the UI, the "/event" root element is found and I can use event/msg_txt in the message attributes.

I am unsure how to submit an event via the webservice.

The curl comes back with status HTTP 200 so the submission seems successful but I am not seeing the event in OBM (I am admin so I guess I can see all events)

$ curl -v -X POST http://<sever FQDN>:30005/bsmc/rest/events/obm_event -H 'Content-Type: application/json' -d '{"event": { "msg_txt", "test message"} }'


* About to connect() to <server FQDN> port 30005 (#0)
* Trying .....
* Connected to <server FQDN> (x.x.x.x) port 30005 (#0)
> POST /bsmc/rest/events/obm_event HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <server FQDN>:30005
> Accept: */*
> Content-Type: application/json
> Content-Length: 40
>
* upload completely sent off: 40 out of 40 bytes
< HTTP/1.1 200 OK
< cache-control: no-cache
< content-length: 0
< content-type: application/octetstream
< date: Fri, 11 Oct 2024 12:06:49 GMT
< senderid: 487269f8-3177-75e3-121f-f1e3b0d36b9a
<
* Connection #0 to host <server FQDN> left intact

I not sure how to submit the event, the part after -d '  ' (I tried various things but no alert)

The policy looks like:

SYNTAX_VERSION 13

GENERIC_SOURCE "JSON_TEST"
DESCRIPTION ""
POLTYPE "xml-ws"
GROUP "ROOT"
GROUP "content"
GROUP "sources"
PARAM "logpath" "obm_event/"
PARAM "content-type" "json"
GROUP "roots"
GROUP "rootPair"
PARAM "root" "/event"
GROUP_END
GROUP_END
PARAM "chSet" "69"
GROUP_END
GROUP "options"
PARAM "isLogMatchedCond" "0"
PARAM "fieldSep" "&#x20;&#x09;"
PARAM "caseSensitive" "1"
PARAM "isLogMatchedSuppressCond" "0"
PARAM "isLogOnlyUnMatchedMsgToSrv" "0"
PARAM "isForwardUnMatchedMsgToSrv" "1"
PARAM "isLogUnMatchedCond" "0"
GROUP_END
GROUP_END
GROUP_END

DEFAULTMSG
TEXT "TEST JSON + <$DATA:/event/msg_txt>"

 Any help much appreciated

(I also activated the "Forward unmatched events to the OBM" option assuming that anything that posts to /obm_events that is not matching the policy would raise an alert but nothing is raised)

  • Suggested Answer

    0  

    Hello,

    I think there is a JSON formatting issue.  JSON uses key-value pairs, so I changed "msg_txt", "test message" to: "msg_txt": "test message"

    This is the test curl:

    # curl -v -X POST localhost:30005/.../obm_event -H 'Content-Type: application/json' -d '{"event": { "msg_txt": "test message" }}'

    This is the event:

    FYI, this is the raw policy I used:

    SYNTAX_VERSION 13

    GENERIC_SOURCE "JSON_TEST"
    DESCRIPTION ""
    POLTYPE "xml-ws"
    GROUP "ROOT"
    GROUP "content"
    GROUP "sources"
    PARAM "logpath" "obm_event/"
    PARAM "content-type" "json"
    GROUP "roots"
    GROUP "rootPair"
    PARAM "root" "DEFAULT_ROOT"
    GROUP_END
    GROUP_END
    PARAM "chSet" "69"
    GROUP_END
    GROUP "options"
    PARAM "isLogMatchedCond" "0"
    PARAM "fieldSep" "&#x20;&#x09;"
    PARAM "caseSensitive" "1"
    PARAM "isLogMatchedSuppressCond" "0"
    PARAM "isLogOnlyUnMatchedMsgToSrv" "0"
    PARAM "isForwardUnMatchedMsgToSrv" "1"
    PARAM "isLogUnMatchedCond" "0"
    GROUP_END
    GROUP_END
    GROUP_END

    DEFAULTMSG
    TEXT "TEST JSON + <$DATA:/event/msg_txt>"
    MSGCONDITIONS
    DESCRIPTION "JSON test"
    CONDITION_ID "6ee9efcd-8ca7-4c13-af92-85b397b1ae4b"
    CONDITION
    "/event/msg_txt" ~= "<*>"
    ICASE
    SET
    TEXT "Matched: <$DATA:/event/msg_txt>"

    I like to add a conditon where some value is tested, in this case /event/msg_txt" matches <*>.

    Please let me know if you have any other questions.

    Have a nice weekend.

  • 0   in reply to   

    The URL got mangled: 

    localhost:30005/.../obm_event 

  • Verified Answer

    +1   in reply to   

    Still mangled - join this one up:
    http://localhost:30005/

    bsmc/rest/events/obm_event 

  • 0 in reply to   

    Thanks a lot! that actually did the trick