...
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
Create Parser Rules for Syslog
opEvents will process the syslog log file as specified on opCommon.json.
Code Block |
---|
"opevents_logs" : { "traplog" : [ "<nmis9_logs>/trap.log" ], "nmis_eventlog" : [ "<nmis9_logs>/event.log" ], "tivoli_log" : [ "<nmis9_logs>/tivoli.log" ], "cisco_compatible" : [ "<nmis9_logs>/cisco.log" ], "syslog_message" : [ "<nmis9_logs>/syslog.log" ], "winlogd" : [ "<nmis9_logs>/winlogd.log" ] }, |
When parsing the trapssyslog, at least the following properties should be extracted:
- date
- hosttrap
- details
- event
- element
- stateful
- state
- priority
...
This article focuses on situations where customers want customization for the remaining fields.
Base on the message that we select we need to create a regular expression to extract the date, host and event.
Apr 01 16:38:29 CNOC-01 b102ogt: [SYSTEM]<6> Local authentication failed(user: admin): Admin password error.
Code Block |
---|
"syslog_message" : {
"10" : {
"IF" : "^(\\w+\\s\\d+\\s\\d+:\\d+:\\d+)\\s(\\w+[-_]\\w+)",
"THEN" : [
"capture(date,host)"
]
},
"11" : {
"IF" : "Local authentication failed",
"THEN" : [
"set.event(Authentication Failed)",
"set.priority(8)"
]
},
} |
After this we need to restart the opeventsd daemon then opEvents will create an event for Authentication Failed.