...
Generic Extensible Parser
In situations where none of the built-in input mechanisms are suitable you can also The default method for Normalisation is with the Generic Extensible Parser conf/EventParserRules.nmis you extend current parser entries or you ca define your own generic parser rules to integrate just about any text-based log information into opEvents. Your event is expected to contain all required event properties.
The generic parser is activated by for different log files in the configuration option opevents_parser_rules, in conf/opCommon.nmis, and the , there is one entry for each log file which defines which 'parser' entry is to be used. The rules are defined in conf/EventParserRules.nmis. Hiere Here is an excerpt from the generic parser rules example that opEvents ships with: In this case the parser entry (used to associate it with certain log files) is called 'cisco_alternate'
| Code Block |
|---|
'cisco_alternate' => {
1 => {
"IF" => qr/%/, # no cisco log if no % present
"THEN" => {
# match date/time, host and details
10 => {
IF => qr/^(\S+\s+\d+\s+[\d:]+)\s+(\S+)[^%]+%(.+)$/,
THEN => "capture(date,host,details)",
},
# some units have Local instead of hms
11 => {
IF => qr/^(\S+\s+\d+)\s+Local\s+(\S+)[^%]+%(.+)$/,
THEN => "capture(date,host,details)",
},
# match event name, could have done that in one of the regexp above
20 => {
IF => qr/%(\w+\-\d-\w+):/,
THEN => "capture(event) AND capture(syslog)", # save this in two places
},
'23' => {
IF => qr/%BGP-5-ADJCHANGE: neighbor (\d+\.\d+\.\d+\.\d+) Down/,
THEN => 'capture(element) AND set.event(BGP Neighbor Down) AND set.state(down) AND set.priority(4) AND set.stateful(BGP Neighbor)',
},
... |
...