...
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
Create Parser Rules for Syslog
opEvents will process the syslog log file as specified on opCommon.json.
| Code Block |
|---|
"opevents_logs" : {
"traplog" : [
"<nmis9_logs>/trap.log"
],
"nmis_eventlog" : [
"<nmis9_logs>/event.log"
],
"tivoli_log" : [
"<nmis9_logs>/tivoli.log"
],
"cisco_compatible" : [
"<nmis9_logs>/cisco.log"
],
"syslog_message" : [
"<nmis9_logs>/syslog.log"
],
"winlogd" : [
"<nmis9_logs>/winlogd.log"
]
}, |
When parsing the trapssyslog, at least the following properties should be extracted:
- date
- hosttrap
- details
- event
- element
- stateful
- state
- priority
...
This article focuses on situations where customers want customization for the remaining fields.
Base on the message that we select we need to create a regular expression to extract the date, host and event.
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
| Code Block |
|---|
"syslog_message" : {
"10" : {
"IF" : "^(\\w+\\s\\d+\\s\\d+:\\d+:\\d+)\\s(\\w+[-_]\\w+)",
"THEN" : [
"capture(date,host)"
]
},
"11" : {
"IF" : "Local authentication failed",
"THEN" : [
"set.event(Authentication Failed)",
"set.priority(8)"
]
},
} |
After this we need to restart the opeventsd daemon then opEvents will create an event for Authentication Failed.