...
| Code Block |
|---|
### syslog message from the node to the poller server 02:23:37.250516 IP 10.10.1.1.58415 > 10.215.1.7.syslog: SYSLOG local7.notice, length: 100 E....Y.....+ .. ..../...l./<189>90: *Feb 1 11:23:35.623: %SYS-5-CONFIG_I: Configured from console by hero on vty0 (10.215.1.5) ^C ### syslog message from the poller serer to the master server 11:23:37.273514 IP 10.215.1.7.35902 > 10.215.1.5.syslog: SYSLOG local7.notice, length: 126 E.....@.?.#. ... ....>.....j<189>Feb 1 02:23:37 10.10.1.1 90: *Feb 1 11:23:35.623: %SYS-5-CONFIG_I: Configured from console by hero on vty0 (10.215.1.5) |
If the servers/nodes are in differnt time zones or the clocks are not correct opEvents may not be default accept the syslog message. Setting the opEvents debug option to '1' will show the following message in /usr/local/omk/log/opEvents.log if this is the case.
| Code Block |
|---|
[Wed Feb 1 09:08:49 2017] [debug] worker[4697] event 1485875324 R1 Feb 1 00:08:44 10.10.1.1 66: *Feb 1 09:08:42.711: %OSPF-5-ADJCHG: Process 1, Nbr 10.10.1.3 on FastEthernet1/0 from FULL to DOWN, Neighbor Down: Interface down or detached is older than opevents_max_event_age, skipping! |
As of opEvents 2.2.1 we can provision opEvents to allow these wilding out of date syslog messages and replace the origin timestamp with its own.
| Code Block |
|---|
### /usr/local/omk/config/opCommon.nmis
'opevents_max_action_queue_age' => 3600,
'opevents_max_event_age' => 7200,
'opevents_max_time_delta' => 1800,
'opevents_monthly_report_recipients' => [],
'opevents_monthly_report_title' => 'Monthly Summary Report', |
Setting the 'opevents_max_time_delta' to a value of 1800 seconds will instruct opEvents to do the following:
- If the syslog message has a timestamp that is more than 1800 seconds off from the current server time:
- Accept the syslog message
- Remove and replace the timestamp with its own time stamp.