Versions Compared

Old Version 8

changes.mady.by.user Alexander Zangerl

Saved on

compared with

New Version 9

changes.mady.by.user Alexander Zangerl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated with new features for 2.2

...

The THEN expression consists of a nested sub-policy or of a single an action statement. The action statement is .

Before opEvents 2.2 the action statement must be an single string containing an AND-separated list of action statements: directives; from opEvents 2.2 onwards it can also be an explicit list of directives (which is faster and more flexible; see the EventParserrules.nmis that ships with opEvents for a Best-current-practice example).

In both cases the action statement must contain one or more of the supported directives:

  • set.propertyname(value) sets the named property to the static value.
    No quoting of the value is required , but or supported.
    The character ")" cannot be part of the value before opEvents 2.2; In 2.2 and above it may only be present if you use the explicit list format for your action statement.
  • capture(propname1,propname2,...) saves the respective captures from the regex in the named properties. The captures are assigned in their order in the regular expression; if you want grouping but not capturing, use (?:....) in your regex. Note that you cannot use multiple capture statements in one THEN.
  • in opEVents versions newer than opEvents version 2.0 there is the additional 0  introduces the new action ignore. This aborts all parsing of this input line altogether and no event is created for it.
    Normally the generic parser is expected to extract suitable information for an event from every single input line, which might not work well if your log data is coming from multiple sources or can't be suitably prefiltered.
  • In opEvents version 2.2 we've added the directive resolve(propname).
    If the named property value is an IP address, then resolve() queries the DNS for a host name for it; otherwise it looks for an IP address for the property value. If the resolution is successful, the property value is replaced by the DNS data; otherwise the property is left as-is.

Rules are applied in the ascending order, defined by their numeric key, and nesting is fully supported.
Note that the numeric key may contain fractional numbers (e.g. "14.8"), which makes it very easy to insert new rules between existing ones.

opEvents 2.0.6 and newer ships with complete generic parser rules for parsing Cisco syslogs (log format type "cisco_alternate") and SNMP trap logs (log format type "nmis_traplog_alternate"), which you may want to use instead of the default built-in parsers if your log material requires custom processing.

...