Archive Writer

Definition

Protocol

Archive

 

 

Description

Write events to ECS Archive log files with name starting with Name.
Limit the file size to Number megabytes.
Limit the total number of files written to Number.

 

 

Comments

Archive logs are EventGnosis-specific files that capture event streams and are readable by the ECS Archive Log Reader. Events are written sequentially to the end of the log file with their respective timestamp and event sequence number until the file size limit is reached, at which time this file is closed and a new file is created to continue the writing.

If Name or file size is missing, blank or invalid the writer will be disabled.

The ECS must have write permission for the archive files.

If Number of file size is missing, blank or invalid, the file size will be limited to 5 megabytes. Fractional values such as 0.5 are allowed.

If Number of log files is missing, blank, invalid or less than one, up to 10 files will be allowed. Once this file number limit is reached, the oldest file is deleted before the new file is created.

Archive logs are EventGnosis-specific files that capture event streams and are readable by the ECS Archive Log Reader. Events are written sequentially to the end of the log file with their respective timestamp and event sequence number until the file size limit is reached, at which time this file is closed and a new file is created to continue the writing.

Special XML characters are translated (decoded) according to the XML character translation table.

 

Example

<destination objectId="SysLogArchiveWriter1" type="ArchiveWriter">
	<parameter type="Name">arSysLog</parameter>
	<parameter type="Number">5</parameter>
	<parameter type="Number">10</parameter>
</destination>

Event Mapping

Incoming ECS event XML: 

<event xmlns:ev="http://www.eventgnosis.com/">
	<host>elmo</ev:host>
	<app>KeyGen</ev:app>
	<log>Windows Log</ev:log>
	<key>12a33</ev:msg>
</event>

This event will be appended as a single-line record to the archive file (base name + ".eva"):

"20040223122859|2234|host=elmo|app=KeyGen|log=Windows Log|key=12a33"

The first field is the Date/Time in YYYYMMDDHHMMSS format.
The second field is a unique, incrementing record id.
The remaining fields are name-value pairs.