Unsolved
This post is more than 5 years old
4 Posts
0
4961
April 7th, 2009 05:00
Syslog adapter parsing
Hi,
Recently I tried some ASL scripting to parse a syslog feed from kiwi into Smarts Notification List.
Problem is I am not skilled to ASL program it correctly and did a bad implementation of reading the severity of an syslog event.
When you get a cisco syslog event it is pretty easy to understand how the message is constructed. The downsight is I don't know
how to extract the severity of the message correctly. Current approach is reading the MESSAGE and extract the 27th char which is most
cases for Cisco has the level of severity. So here $level gets the "6". Problem is I haven't found a way that works the same but extracts the "6" from the message based on -6- what is between the "-" char.
*May 1 22:12:13.243: %SEC-6-IPACCESSLOGP:
My current my-hook-syslog.asl code snippet:
PARSE_MESSAGE {
} do {
// By default use a slice of 100 characters as part of EVENTNAME
slice = substring(MESSAGE, 0, 100);
level = substring(MESSAGE, 27, 1)
}
CUSTOM_RULE {
unusedPrefix:rep(notany(":")) ":" /* consume chars up to : */
msgDescription:rep(word) eol
} do {
if (level == "1") {
SEVERITY = "1"
} else if (level == "2") {
SEVERITY = "1"
} else if (level == "3") {
SEVERITY = "2"
} else if (level == "4") {
SEVERITY = "3"
} else if (level == "5") {
SEVERITY = "3"
} else if (level == "6") {
SEVERITY = "5"
} else if (level == "7") {
SEVERITY = "5"
}
if (debug) { print(time().ASLNAME."Executing CUSTOM_RULE");}
}
So my question is easy, how can I extract the severity where the level is on a different position:
%IPV6-6-ACCESSLOGP or %LINK-3-UPDOWN.
Thanks,
Jeroen Tebbens
Dimension Data Netherlands
TCorcoran
53 Posts
1
April 8th, 2009 11:00
The easiest way to do what you want would be to tackle this would be to have a Rule to get your level instead of a substring.
The rule would basically take the message as input and parse out your level.
LEVEL {
input=msg
pre:rep(notany("-")) "-"
level:integer ..eol
} do {
return level;
}
Hope that helps,
- TC
jeroen_tebbens
4 Posts
0
April 10th, 2009 01:00
Ok let me try that.
Thanks,
Jeroen Tebbens
jeroen_tebbens
4 Posts
0
April 21st, 2009 03:00
Alright I got it working now.
Rule code would be:
LEVELS {
input=MESSAGE;
pre:rep(notany("-")) "-"
levels:integer ..eol
} do {
return levels;
}
And for setting the severity:
CUSTOM_RULE {
unusedPrefix:rep(notany(":")) ":" /* consume chars up to : */
msgDescription:rep(word) eol
} do {
sysloglevel = LEVELS();
if (sysloglevel == "1") {
SEVERITY = "1";
} else if (sysloglevel == "2") {
SEVERITY = "1";
} else if (sysloglevel == "3") {
SEVERITY = "2";
} else if (sysloglevel == "4") {
SEVERITY = "3";
} else if (sysloglevel == "5") {
SEVERITY = "5";
} else if (sysloglevel == "6") {
SEVERITY = "5";
} else if (sysloglevel == "7") {
SEVERITY = "5";
}
if (debug) { print(time().ASLNAME."Executing CUSTOM_RULE");}
}
jeroen_tebbens
4 Posts
0
April 27th, 2010 06:00
Fixed as written in last post
bkuhhirte
52 Posts
0
April 29th, 2010 09:00
Guys,
It is worth mentioning that the "--traceParse" flag (or equivalently the GA_Driver::trace attribute set to TRUE) can be very helpful in debugging those problems.
It also may be a style question, but partially because of the above I don't use the "rep(notany(""))" structure anymore as this gets *evil* in the debugging output. An equivalent statement to your ASL using a slightly different syntax might be as follows.
Before:
CUSTOM_RULE {
unusedPrefix:rep(notany(":")) ":" /* consume chars up to : */
msgDescription:rep(word) eol
} do {
After:
CUSTOM_RULE {
delim = ":"; // set the "word" delimited to the ":" character
unusedPrefix:word
msgDescription:rep(word) eol
} do {
--Bill