...
- event - "Card Temperature OK"
- stateful - "temperature"
- state - "up"
- priority - "2"
Evaluate The Syslog Messages To Be Processed
Create a list of Syslog messages that are required be processed by opEvents.
For example:
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
Create Parser Rules for Syslog
opEvents will process the syslog log file as specified on opCommon.json.
| Code Block |
|---|
"opevents_logs" : {
"traplog" : [
"<nmis9_logs>/trap.log"
],
"nmis_eventlog" : [
"<nmis9_logs>/event.log"
],
"tivoli_log" : [
"<nmis9_logs>/tivoli.log"
],
"cisco_compatible" : [
"<nmis9_logs>/cisco.log"
],
"syslog_message" : [
"<nmis9_logs>/syslog.log"
],
"winlogd" : [
"<nmis9_logs>/winlogd.log"
]
}, |
When parsing the syslog, at least the following properties should be extracted:
- date
- host
- details
- event
- element
- stateful
- state
- priority
The shipped version of EventParserRules.json has a syslog section that will extract the date, host and details fields for most situations.
This article focuses on situations where customers want customization for the remaining fields.
Base on the message that we select we need to create a regular expression to extract the date, host and event.
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
| Code Block |
|---|
"syslog_message" : {
"10" : {
"IF" : "^(\\w+\\s\\d+\\s\\d+:\\d+:\\d+)\\s(\\w+[-_]\\w+)",
"THEN" : [
"capture(date,host)"
]
},
"11" : {
"IF" : "Local authentication failed",
"THEN" : [
"set.event(Authentication Failed)",
"set.priority(8)"
]
},
} |
After this we need to restart the opeventsd daemon then opEvents will create an event for Authentication Failed.