Print Page - syslog parser rules not working

Title: syslog parser rules not working
Post by: normalcy on January 16, 2018, 08:31:33 AM

Hi, on ver 2.2.2, I have tried setting up a few syslog parser rules with the editor for the internal syslog.

I have one successfully working rule (looking at logins to a synology DSM). However any rule I've added since (one for VPN logins and one for unifi time sync) does not seem to generate an event in the event log.
Have tried:

altering the order of the rules
click process all
look at a level 9 debug (the syslog is being seen and added to the database but no EVENT is generated).
restarting the server
The custom events are configured to write to the event log

Is there an error in my regex?

Code Select

<parser trace="9">
   <file/>
   <rules>
      <rule name="L2TP login to routers">
         <match repeatCount="0" repeatInterval="60">^l2tp,ppp,info,account (.*) logged in, (.*)</match>
         <event params="2">100811</event>
         <severity>5</severity>
         <tag>l2tp</tag>
         <description>Trigger a login event when VPN logins to routers occur</description>
      </rule>
      <rule name="Synology Admin Logins">
         <match repeatCount="0" repeatInterval="120">(Connection admin:.*User.*logged in from.*)</match>
         <event params="1">100801</event>
         <severity>64</severity>
         <tag>Connection</tag>
         <description>Trigger Log event when synology admin logins occur</description>
      </rule>
      <rule name="unifi current time not set">
         <match repeatCount="0" repeatInterval="120">(.*current time is not set yet)</match>
         <event params="1">100813</event>
         <severity>5</severity>
         <facility>1</facility>
         <tag>syswrapper</tag>
         <description>Log event when ntp is not updating on unifi devices</description>
      </rule>
   </rules>
   <macros/>
</parser>

syslog format:

Code Select

16.01.2018 16:20:18 r01.domain.name 1 5 r01.domain.name l2tp l2tp,ppp,info,account USERNAME logged in, IPADDRESS

Title: Re: syslog parser rules not working -- SOLVED
Post by: normalcy on July 12, 2018, 07:53:03 AM

Just to answer my own question, as usual the problem was PEBKAC.

I had opened the syslog monitor next to the parser window during testing and conflated the severity column in the syslog window with the severity tag in the parser window.

A debug log reveled the match was missing on the severity and I realised the parser severity is a bit mask and not representative of the syslog window. So a semantic difference with the same name.

Correcting that has the rules working now.

Cheers.

NetXMS Support Forum

English Support => General Support => Topic started by: normalcy on January 16, 2018, 08:31:33 AM