...
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
Create Parser Rules for Syslog
opEvents will process the syslog log file as specified on opCommon.json.
...
This article focuses on situations where customers want customization for the remaining fields.
Base on the message that we select we need to create a regular expression to extract the date, host and event.
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
| Code Block |
|---|
"syslog_message" : {
"10" : {
"IF" : "^(\\w+\\s\\d+\\s\\d+:\\d+:\\d+)\\s(\\w+[-_]\\w+)",
"THEN" : [
"capture(date,host)"
]
},
"11" : {
"IF" : "Local authentication failed",
"THEN" : [
"set.event(Authentication Failed)",
"set.priority(8)"
]
},
} |
After this we need to restart the opeventsd daemon then opEvents will create an event for Authentication Failed.