TECHZEN Zenoss User Community ARCHIVE  

SyslogProcessing.py regex not matching

Subject: SyslogProcessing.py regex not matching
Author: Amit Kshirsagar
Posted: 2014-03-19 02:05

Hi,

We have a rsyslog server which is forwarding syslogs received from other systems to zenoss. SyslogProcessing.py does something due to which it shows the devicename of the rsyslog server instead of the host which sent that event. When I enabled "parsehost True" in zensyslog.conf file, it is now showing Month as the device name.

I tried using a new regex, but its not matching.

ps: these are Force10 switches.

Thanks,
Amit

Original Event: Mar 11 15:02:07: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user rancid on line vty1 (10.10.10.10)

From zensyslog.log file

2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^(P

-- (PMARK) --)
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: %(P[^:]+): (P.*)
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^(P.+)\[(P\D+)\] (P\d+) (P.*)
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(P\S+): (P.*)
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: ^\w{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2}:\s+(P\S+): %(P\S+\s+%(P\S+)-\d-\S+): *(P.*)
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag regex: %(P(P\S+)-\d-\S+): *(P.*)
2014-03-19 12:29:18,994 DEBUG zen.Syslog: tag match: {'eventClassKey': 'SEC-5-TACACS_ACCESS_ACCEPTED', 'component': 'SEC', 'summary': 'Tacacs access accepted for user "rancid"'}
2014-03-19 12:29:18,995 DEBUG zen.zensyslog: Queued event (total of 32) {'rcvtime': 1395212358.994971, 'firstTime': 1395212358.990218, 'severity': 2, 'facility': 23, 'eventClassKey': 'SEC-5-TACACS_ACCESS_ACCEPTED', 'component': 'SEC', 'agent': 'zensyslog', 'summary': 'Tacacs access accepted for user "rancid"', 'priority': 5, 'manager': 'drdhydws02.hyd.desres.deshaw.com', 'eventGroup': 'syslog', 'device': 'Mar', 'lastTime': 1395212358.990218, 'monitor': 'localhost'}
2014-03-19 12:29:19,001 DEBUG zen.Syslog: host=10.10.11.250, ip=10.10.11.250
2014-03-19 12:29:19,001 DEBUG zen.Syslog: <189> Mar 19 07:59:35: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user rancid on line vty0 (10.232.15.6)
2014-03-19 12:29:19,001 DEBUG zen.Syslog: fac=23 pri=5
2014-03-19 12:29:19,001 DEBUG zen.Syslog: facility=23 severity=2
2014-03-19 12:29:19,001 DEBUG zen.Syslog: Mar 19 07:59:35: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user rancid on line vty0 (10.232.15.6)
2014-03-19 12:29:19,001 DEBUG zen.Syslog: parseHEADER hostname=10.10.11.250
2014-03-19 12:29:19,001 DEBUG zen.Syslog: 19 07:59:35: swcore-1-1-1: %RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user rancid on line vty0 (10.232.15.6)

I am using following regex

^\w{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2}:\s+(P\S+): %(P\S+\s+%(P\S+)-\d-\S+): *(P

.*)



Subject: Take a look at this post to
Author: [Not Specified]
Posted: 2014-03-19 08:43

Take a look at this post to see if it helps: http://community.zenoss.org/message/75373

Hydruid



< Previous
how to set custom graph commands(cur, avg, max, min)
  Next
How to grant permission to Role ZenUser to start/restart Daemon
>