Skip navigation
1 2 Previous Next 7321 Views 27 Replies Latest reply: Apr 27, 2012 8:18 AM by G. Xh. RSS
G. Xh. Rank: White Belt 30 posts since
Mar 22, 2012
Currently Being Moderated

Mar 22, 2012 9:07 AM

EventClassKey

Good Day

 

I'm using Zenoss core 3.x and for the Windows Clients i'm using the Snare Agent 4.0. Now i can sent my Events over the syslog protocol but when i will match a event to a EventClass, the EventClass is bound to the eventclasskey. Now my EventClassKeys are named like "Name" or "Anemldung". Is there any way to set the EventClassKey the same as the EventID under windows?

 

I hope you can help me

 

greetings

  • Shane Scott ZenossMaster 1,373 posts since
    Jul 6, 2009
    Currently Being Moderated
    2. Mar 26, 2012 11:59 PM (in response to G. Xh.)
    Re: EventClassKey

    G. Xh.:

     

    Setting the eventClassKey via transform and/or event mapping is possible, but the big problem is that I don't think anyone here uses Snare. Can you post some examples of the syslog entries that aren't matching up well?

     

    Best,

    --Shane (Hackman238)

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    5. Apr 11, 2012 10:08 AM (in response to G. Xh.)
    Re: EventClassKey

    Have you pulled my document on Zenoss Event Management? http://community.zenoss.org/docs/DOC-3538 . Section 4 looks at how zensyslog processes incoming syslog messages.  It sounds like it is that initial mapping that is going wrong and it is that that sets the eventClassKey.  It is SyslogProcessing.py in $ZENHOME/Products/ZenEvents that actually parses out the incoming message.

     

    Another hint is to change the debug level fo the zensyslog daemon.  Change the logseverity to Debug to give more info and also set logorig True to log the original incoming messgae.

     

    Cheers,

    Jane

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    7. Apr 11, 2012 11:59 AM (in response to G. Xh.)
    Re: EventClassKey

    You need to look at the paper.  Figure 11 shows the regular expressions that will be tried, in order, to match your original syslog message.  Figure 16 shows how the eventClassKey field is determined.  Usually it gets set to the component attribute (as has happened in your case).  The component attribute generally gets set by the regexs shown in Fig 11.

     

    Have a look at these and perhaps post the original incoming event that you should now find in $ZENHOME/log/.  You have set the logorig flag to True - you may also need to set the name of this logfile - I would suggest you put it in the same directory as the rest of the Zenoss logs.  Don't forget to recycle zensyslog before these logging changes will take place.

     

    Cheers,

    Jane

  • nilie Rank: Green Belt 372 posts since
    May 27, 2010
    Currently Being Moderated
    8. Apr 11, 2012 1:30 PM (in response to G. Xh.)
    Re: EventClassKey

    To me it looks like the Snare Agent is not forwarding messages in standard syslog format so Zenoss is lost trying to map the message. I would suggest to try to pre-process and reformat  the message some how before it is being fed to zensyslog daemon. It might be easier (and cleaner) to do it this way in the good old *nix tradition since you'll have less worries during future upgrades or migrations.

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    11. Apr 12, 2012 4:21 AM (in response to G. Xh.)
    Re: EventClassKey

    nilie is correct.  It looks like the header isn't being parsed correctly.  I think you have Anmeldung as your component because it is the string preceding a colon(:) and your regex has matched on:

    (?P<component>\S+): (?P<summary>.*)

     

    Since your Snare panel does seem to have an alternate header option, I would at least start by trying that.

     

    If this doesn't work, please make sure that you post the logfile with the original message in it, as well as the zensyslog file.

     

    HTH,

    Jane

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    14. Apr 26, 2012 11:54 AM (in response to G. Xh.)
    Re: EventClassKey

    You can see that your regex is tried (first) but discarded as the next regex is tried.

    For starters, your native log starts with MSWinEventLog[1] - there is nothing in your regex to match the square brackets (and a square bracket is a meta character so you will need to escape it). Try:

     

    r"MSWinEventLog\[\d+\]:\w+\s+(?P<component>\D+?)\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)",

     

    Absolutely no promises...

    Cheers,

    Jane

1 2 Previous Next

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points