...
Generic Extensible Parser
In situations where none of the built-in input mechanisms are suitable you can also The default method for Normalisation is with the Generic Extensible Parser conf/EventParserRules.nmis
you extend current parser entries or you ca define your own generic parser rules to integrate just about any text-based log information into opEvents. Your event is expected to contain all required event properties.
The generic parser is activated by for different log files in the configuration option opevents_parser_rules
, in conf/opCommon.nmis
, and the , there is one entry for each log file which defines which 'parser' entry is to be used. The rules are defined in conf/EventParserRules.nmis
. Hiere Here is an excerpt from the generic parser rules example that opEvents ships with: In this case the parser entry (used to associate it with certain log files) is called 'cisco_alternate'
Code Block |
---|
'cisco_alternate' => { 1 => { "IF" => qr/%/, # no cisco log if no % present "THEN" => { # match date/time, host and details 10 => { IF => qr/^(\S+\s+\d+\s+[\d:]+)\s+(\S+)[^%]+%(.+)$/, THEN => "capture(date,host,details)", }, # some units have Local instead of hms 11 => { IF => qr/^(\S+\s+\d+)\s+Local\s+(\S+)[^%]+%(.+)$/, THEN => "capture(date,host,details)", }, # match event name, could have done that in one of the regexp above 20 => { IF => qr/%(\w+\-\d-\w+):/, THEN => "capture(event) AND capture(syslog)", # save this in two places }, '23' => { IF => qr/%BGP-5-ADJCHANGE: neighbor (\d+\.\d+\.\d+\.\d+) Down/, THEN => 'capture(element) AND set.event(BGP Neighbor Down) AND set.state(down) AND set.priority(4) AND set.stateful(BGP Neighbor)', }, ... |
...