I have some syslog logs coming into Zenoss that I want to setup some alerts for. Right now all syslog comes in with the event class /Unknown, I want to be able to change that depending on what log comes in and possibly change the summary field. For instance I have logs that come in with a long string and in the middle it tells you what the event is (SSH Fail) and there are different ones, I would like that to just be the summary and not all the other text and depending on the summary name change the event class.
Any help is appreciated
Kinda new, but think first you will need to reclassify your events (probably on the pretty easy since the eventclasskey are pretty unique for syslogs).
After the event is mapped, you would then use the transform (+some regex) to transform the summary of the event, which again might not be to bad for syslogs, since the summaries are pretty standard.
Would also download Jane Curry's event management document, to help understand how events are created/modified:
Hey thanks for the reply, I have tried mapping it from /Unknown to something a little better and more descriptive for my liking but haven't had much luck, do you know the basic steps to do that because I think I am getting something wrong or missing a step
Mappings pretty easy, just select the event and then hit the little tree/directory icon in the upper left of the event pane that is reclassify an event and select the event class you want to associate it with (or if you want to create your own event class go to event classes and just create one and then go back and follow the same procedures).
So lets say you have a syslog event with LINK-5-CHANGED as the eventclasskey - once you map/reclassify that event to an event class, all new events (in your case syslog events), will automatically be mapped to that same event class instead of /Unknown.
Now within that event class you just mapped, you can transform the event summary to about anything.
Make more sense?
Yeah definitly makes more sense thanks, I just tried clicking on an event that has /Unknown and then clicking the reclassify and selecting the new mapping but I am getting an error "1 event does not have an event class key. Created 0 event mappings"
Looks like the syslog events are getting processed correctly. Would repost with your zenoss version and maybe some of the core team can take a look. Did find this post (there are many out there with same error), but this one at least gives you somes options on trying to resolve yourself:
Using version 3.2.1 and thanks for the link I am checking it out now and trying... I did look at the zensyslog log file and it does say "no matching parser" so there is definitely a problem in there as well.
So i have taken a look at the paper and the other forum post and I am still a bit lost. I am able to do the mapping with general syslog messages coming in from rsyslog and that works, but not with the events I need to. I have a feeling its a parsing issue I am just not sure where to go from here to fix it.
Follow Us On Twitter »
||Latest from the Zenoss Blog »||Community||Products||Services||Customers||About Us|
Copyright © 2005-2011 Zenoss, Inc.