![]() |
![]() |
Subject: | SyslogProcessing.py regex not matching |
Author: | Amit Kshirsagar |
Posted: | 2014-03-19 02:05 |
Hi,
We have a rsyslog server which is forwarding syslogs received from other systems to zenoss. SyslogProcessing.py does something due to which it shows the devicename of the rsyslog server instead of the host which sent that event. When I enabled "parsehost True" in zensyslog.conf file, it is now showing Month as the device name.
I tried using a new regex, but its not matching.
ps: these are Force10 switches.
Thanks,
Amit
Original Event: Mar 11 15:02:07: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user rancid on line vty1 (10.10.10.10)
From zensyslog.log file
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^(P
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: %(P
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^(P
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(P
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^\w{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2}:\s+(P
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: %(P
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag match: {'eventClassKey': 'SEC-5-TACACS_ACCESS_ACCEPTED', 'component': 'SEC', 'summary': 'Tacacs access accepted for user "rancid"'}
2014-03-19 12:29:18,995 DEBUG zen.zensyslog: Queued event (total of 32) {'rcvtime': 1395212358.994971, 'firstTime': 1395212358.990218, 'severity': 2, 'facility': 23, 'eventClassKey': 'SEC-5-TACACS_ACCESS_ACCEPTED', 'component': 'SEC', 'agent': 'zensyslog', 'summary': 'Tacacs access accepted for user "rancid"', 'priority': 5, 'manager': 'drdhydws02.hyd.desres.deshaw.com', 'eventGroup': 'syslog', 'device': 'Mar', 'lastTime': 1395212358.990218, 'monitor': 'localhost'}
2014-03-19 12:29:19,001 DEBUG zen.Syslog: host=10.10.11.250, ip=10.10.11.250
2014-03-19 12:29:19,001 DEBUG zen.Syslog: <189> Mar 19 07:59:35: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user rancid on line vty0 (10.232.15.6)
2014-03-19 12:29:19,001 DEBUG zen.Syslog: fac=23 pri=5
2014-03-19 12:29:19,001 DEBUG zen.Syslog: facility=23 severity=2
2014-03-19 12:29:19,001 DEBUG zen.Syslog: Mar 19 07:59:35: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user rancid on line vty0 (10.232.15.6)
2014-03-19 12:29:19,001 DEBUG zen.Syslog: parseHEADER hostname=10.10.11.250
2014-03-19 12:29:19,001 DEBUG zen.Syslog: 19 07:59:35: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user rancid on line vty0 (10.232.15.6)
I am using following regex
^\w{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2}:\s+(P
Subject: | Take a look at this post to |
Author: | [Not Specified] |
Posted: | 2014-03-19 08:43 |
Take a look at this post to see if it helps: http://community.zenoss.org/message/75373
Hydruid
< |
Previous how to set custom graph commands(cur, avg, max, min) |
Next How to grant permission to Role ZenUser to start/restart Daemon |
> |