...
The format is straight-forward: the numeric key controls order of rule application, and the right side is a regular expression that the log entries are matched against.
...
The format is straight-forward: the top key allocates a new log format type (here cisco_alternate
) which you would use in opevents_logs
for your log files. Under that key there are any number of (nested) capture rules, which control what to match in an input, and how to copy material to the newly created event. These rules use a format very similar to the Event Actions and Escalation policies: IF
defines a regular expression that the log entry has to match, THEN
declares what to do in that case, and a successful rule with optional BREAK
statement skips the rules on the same nesting level.
...
set
.propertyname(value) sets the named property to the static value.
No quoting of the value is required or supported.
The character ")" cannot be part of the value before opEvents 2.2; In 2.2 and above it may only be present if you use the explicit list format for your action statement.capture
(propname1,propname2,...) saves the respective captures from the regex in the named properties. The captures are assigned in their order in the regular expression; if you want grouping but not capturing, use(?:....)
in your regex. Note that you cannot use multiple capture statements in one THEN.- opEvents version 2.0 introduces the new action
ignore
. This aborts all parsing of this input line altogether and no event is created for it.
Normally the generic parser is expected to extract suitable information for an event from every single input line, which might not work well if your log data is coming from multiple sources or can't be suitably prefiltered. - In opEvents version 2.2 we've added the directives
.resolve.fwd(
propname)
andresolve.rev(
propname)
Theresolve.fwd()
directive expects the property to be a DNS name and queries the DNS for an IP address associated with the name; theresolve.rev()
directive interprets the property as an IP address and looks for a host name for it. If the resolution is successful, the property value is replaced by the DNS data; otherwise the property is left as-is. - opEvents 2.2 also adds the new directive
plugin(PluginName)
, which invokes an external parser plugin for further enrichment or modification of the event.
This functionality is described in more detail in the next section.
...