|
|
| Subject: | Transform - duplication events |
| Author: | [Not Specified] |
| Posted: | 2014-04-11 04:39 |
Zenoss 4.2.4
I want to merge events with similar information.
For example, there is event : "Accepted password for root from 192.168.1.23 port 57701 ssh2"
Ssh2 uses different ports, but it's not interest for me.
I created new class mapping with next conditions:
rule is emprty;
regex is: "Accepted password for (P
Transform: "evt.summary = "Accepted password for %s from %s" % (evt.login, evt.remotehost)"
After class mapping created, new events gets true class, but events with same "login" and "remotehost" fields don't merge into 1 event. Every new event creates new record.
What should I do
| Subject: | Zenoss designed it that way, |
| Author: | [Not Specified] |
| Posted: | 2014-04-11 13:24 |
Zenoss designed it that way, each "instance" or in your case 'ssh login' creates an unique event. Why do you want to merge those events Events get archived and then eventually dropped, so after "x" days the event will be deleted.
The only real way you could do it, is to drop the new event and modify an existing event, but I wouldn't recommend it.
Hydruid
| Subject: | I want merge instances with |
| Author: | [Not Specified] |
| Posted: | 2014-04-15 02:18 |
I want merge instances with same login and remotehost. Remote port doesn't matter for me.
For example, there are 2 new incoming events:
1 - "Accepted password for root from 192.168.1.23 port 57701 ssh2"
2 - "Accepted password for root from 192.168.1.23 port 58901 ssh2"
After class mapping and transforming summary field is "Accepted password for root from 192.168.1.23"
And dedupid fields are same for those events. But zenoss creates 2 different instances with same dedupid field.
| Subject: | I solved my problem. Solution |
| Author: | [Not Specified] |
| Posted: | 2014-04-21 15:02 |
I solved my problem. Solution was quite simple: when I created class mapping, I changed event status to "history". In this case all incoming events save as unique although the events has same dedupid field.
| < |
Previous Zopectl daemon error |
Next Zenoss not running? |
> |