...
Both black and white lists are configured in in /usr/local/omk/conf/EventListRules.nmis
, in sections like this example:
...
The format is straight-forward: the numeric key controls order of rule application, and the right side is a regular expression that the log entries are matched against.are matched against.
opEvents 4.x:
/usr/local/omk/conf/EventListRules.json
Code Block | ||
---|---|---|
| ||
{
"whiteList" : {
"91" : "CISCO-RTTMON-MIB::rttMonNotification",
"90" : "CISCO-RTTMON-MIB::rttMonTimeoutNotification",
"80" : "CISCO-CONFIG-MAN-MIB::ciscoConfigManEvent .+ ccmHistoryEventConfigDestination\\.\\d+=running",
"1" : "TIVOLI\\|\\w+\\|ams",
"72" : "BGP4-MIB::bgpEstablished",
"31" : "BGP-\\d-ADJCHANGE",
"30" : "OSPF-\\d-ADJCHG",
"50" : "SNMPv2-MIB::snmpTrapOID.0=IF-MIB::link",
"40" : "SYS-\\d-CONFIG_I",
"20" : "LINEPROTO",
"10" : "SYS-[0123]-\\w+",
"73" : "BGP4-MIB::bgpBackwardTransition",
"60" : "BRIDGE-MIB::newRoot",
"70" : "OSPF-TRAP-MIB::ospfNbrStateChange"
},
"blackList" : {
"30" : "CISCO-SYSLOG-MIB::clogMessageGenerated",
"10" : "NTP Core \\(INFO\\)",
"20" : "OLD-CISCO-TS-MIB::tslineSesType\\.6\\.1=tcp"
},
"archiveList" : {
"30" : {
"regex" : "Node (Up|Down)",
"archive" : "NodeEvents"
},
"20" : {
"archive" : "SoftwareErrorArchive",
"regex" : "INVMEMINT|MALLOCFAIL"
},
"10" : {
"archive" : "SyslogArchive",
"regex" : "SYS-[0123]-\\w+"
}
}
} |
Normalisation and Enrichment
...
Your event is has to include a Host and Date entry to be accepted. For it to be usable in the GUI it also at a minimum needs an "event" property. We recommend it includes further details per this page, event properties.
If your parser is only required to display the raw log output and not perform any event extraction, adding the below to EventParserRules.json will enable the new parser:
Code Block |
---|
"MyNewParser" : {
}, |
Once this has been added, ensure that the opEvents daemon has been restarted.
opEvents 2.0.6 and newer ships with complete generic parser rules for parsing Cisco syslogs (log format type "cisco_alternate
") and SNMP trap logs (log format type "traplog
"), plus other syslog, nxlog parsers for various vendors such as Huawei, Juniper, Microsoft, these can be extended and new entries can be contributed via code@opmantek.com .
...