|
Protocol |
Archive |
|
|
|
|
Description |
Read events from archive with Name
starting at DateTime
and ending with DateTime. |
|
|
|
|
Comments |
If starting DateTime is missing, blank or invalid, reading will start from the beginning of the archive. If ending DateTime is missing, blank or invalid, reading will continue until the end of the archive, including any new records. If Name is missing, blank or invalid, disable the reader. The ECS must have read permission for the files making up the archive. If process delay is not specified or invalid, all records are read as fast as possible without delay. Archives are EventGnosis-specific that capture event streams and are written by the ECS Archive Writer. The Archive Reader provides a data source of archived events that can be used to further process and manage event streams. Special XML characters are translated according to the XML character translation table. |
<source objectId="ArReaderSysLog" type="ArchiveReader" stdout="FS.DemoAlive"> <parameter type="Name">arSysLog</parameter> <parameter type=”DateTime”> <!— Jan 3, 2004 at 1:13:03 --> <year>2004</year> <month>1</month> <day>3</day> <hours>1</ hours> <minutes>13</minutes> <seconds>3</seconds> </parameter> <parameter type=”DateTime”> <!— Feb 23, 2004 at 12:47:59 --> <year>2004</year> <month>2</month> <day>23</day> <hours>12</ hours> <minutes>47</minutes> <seconds>59</seconds> </parameter> <parameter type="Not">Not</parameter> </source>
If the following line is read from an archive file (base name + ".eva"):
"20040223122859|2234|host=elmo|app=KeyGen|log=Windows Log|key=12a33"
The resulting event will be emitted:
<event xmlns:ev="http://www.eventgnosis.com/"> <host>elmo</host> <app>KeyGen</app> <log>Windows Log</log> <key>12a33</msg> </event>
Please refer to the Archive Writer for more details on the actual file format.