Event Transform

Hello Team,

The following type of event(s) is causing our transform to break at the / and /Perf/FileSystem level

event { uuid: "7056c950-6d2d-11e7-a243-0242ac11000e" created_time: 1500542755653 event_class: "/" event_class_key: "Microsoft-Windows-Kernel-General_1" actor { element_type_id: DEVICE element_uuid: "5bd15ce6-fb04-488d-8498-08b63527e694" element_identifier: "Myserver" element_sub_type_id: COMPONENT element_sub_identifier: "Microsoft-Windows-Kernel-General" } summary: "The system time has changed to \342\200\2162017\342\200\216-\342\200\21607\342\200\216-\342\200\21620T09:21:07" message: "The system time has changed to \342\200\2162017\342\200\216-\342\200\21607\342\200\216-\342\200\21620T09:21:07.543000000Z from \342\200\2162017\342\200\216-\342\200\21607\342\200\216-\342\200\21620T09:21:05.943262100Z. Change Reason: An application or system component changed the time." severity: SEVERITY_INFO event_key: "" event_group: "System" agent: "zenpython" nt_event_code: 1 monitor: "localhost" details { name: "manager" value: "f29e41c3839b" } details { name: "eventidentifier" value: "1" } details { name: "computername" value: "Myserver" } details { name: "user" value: "NT AUTHORITY\\SYSTEM" } details { name: "originaltime" value: "07/20/2017 02:21:07" } details { name: "zenoss.device.ip_address" value: "10.208.8.32" } details { name: "zenoss.device.production_state" value: "1000" } details { name: "zenoss.device.priority" value: "3" } details { name: "zenoss.device.device_class" value: "/Server/Microsoft/Windows/Myserverdeviceclass/mydomaindeviceclass" } details { name: "esmProfile" value: "systemadminesm" } details { name: "msg_mod" } tags { type: "zenoss.device.device_class" uuid: "7945f8d3-fe34-4e57-8132-90d6e7c15855" uuid: "7de274ff-4b59-458d-b3c4-393aa3db6d6a" uuid: "2b74cbf4-1e78-4402-b764-449a7dd777ce" uuid: "81e1c09d-2bf9-40b7-b398-49631c5b490f" uuid: "19c7b3b4-7907-4700-a201-1195e6eca354" } tags { type: "zenoss.event.event_class" uuid: "df95b75c-9d33-4e31-82b9-e18c5a2e02de" uuid: "e5420ff3-45e3-41b3-92e6-dd381294da09" } status: STATUS_DROPPED first_seen_time: 1500542755653 }

Here are the /App/Zenoss transform error related events in the console.

ValueError: 'File System Filter VirtFile (Version 5.2, \xe2\x80\x8e2011\xe2\x80\x8e-\xe2\x80\x8e10\xe2\x80\x8e-\xe2\x80\x8e25T08:23:22.000000000Z) unloaded successfully.' has type str, but isn't in 7-bit ASCII encoding. Non-ASCII strings must be converted to unicode objects before being added.

I have used this in the / category

import re

StrMatch = re.search('Microsoft-Windows-FilterManager', evt.component)

if StrMatch and device:

evt._action = "drop"

StrMatch1 = re.search('Microsoft-Windows-Kernel-General', evt.component)

if StrMatch1 and device:

evt._action = "drop"

StrMatch2 = re.search('Microsoft-Windows-', evt.component)

if StrMatch2 and device:

evt._action = "drop"

evt.details.esmProfile = 'SYSA'

evt.details.msg_mod = evt.message.replace('\'','')

evt.details.OPASSeverity = evt.severity -1

evt.details.CIName = evt.device

if device and hasattr(device,"titleOrId"):

evt.details.CIName = device.titleOrId()

evt.details.CIName = evt.details.CIName.partition('.')[0]

if device and device.cAccountCode:

evt.details.accountCode = device.cAccountCode

else:

collector = dmd.Devices.findDeviceByIdExact(evt.monitor)

if collector:

evt.details.accountCode = collector.getProperty('cAccountCode')

else:

evt.details.accountCode = 'MyAccountESM'

My question is: If an event is dropped as per the event action, will the rest of the code in the transform execute? I believe no.

This is causing the transform to break and be deactivated time and again.
Need your advise to fix this issue.

ValueError: 'File System Filter VirtFile (Version 5.2, \xe2\x80\x8e2011\xe2\x80\x8e-\xe2\x80\x8e10\xe2\x80\x8e-\xe2\x80\x8e25T08:23:22.000000000Z) unloaded successfully.' has type str, but isn't in 7-bit ASCII encoding. Non-ASCII strings must be converted to unicode objects before being added.


Thank you
Sash