syslog parser rules not working

Started by normalcy, January 16, 2018, 08:31:33 AM

Previous topic - Next topic

normalcy

Hi, on ver 2.2.2, I have tried setting up a few syslog parser rules with the editor for the internal syslog.

I have one successfully working rule (looking at logins to a synology DSM).  However any rule I've added since (one for VPN logins and one for unifi time sync) does not seem to generate an event in the event log. 
Have tried:

  • altering the order of the rules
  • click process all
  • look at a level 9 debug (the syslog is being seen and added to the database but no EVENT is generated).
  • restarting the server
  • The custom events are configured to write to the event log
Is there an error in my regex?

<parser trace="9">
   <file/>
   <rules>
      <rule name="L2TP login to routers">
         <match repeatCount="0" repeatInterval="60">^l2tp,ppp,info,account (.*) logged in, (.*)</match>
         <event params="2">100811</event>
         <severity>5</severity>
         <tag>l2tp</tag>
         <description>Trigger a login event when VPN logins to routers occur</description>
      </rule>
      <rule name="Synology Admin Logins">
         <match repeatCount="0" repeatInterval="120">(Connection admin:.*User.*logged in from.*)</match>
         <event params="1">100801</event>
         <severity>64</severity>
         <tag>Connection</tag>
         <description>Trigger Log event when synology admin logins occur</description>
      </rule>
      <rule name="unifi current time not set">
         <match repeatCount="0" repeatInterval="120">(.*current time is not set yet)</match>
         <event params="1">100813</event>
         <severity>5</severity>
         <facility>1</facility>
         <tag>syswrapper</tag>
         <description>Log event when ntp is not updating on unifi devices</description>
      </rule>
   </rules>
   <macros/>
</parser>


syslog format:
16.01.2018 16:20:18 r01.domain.name 1 5 r01.domain.name l2tp l2tp,ppp,info,account USERNAME logged in, IPADDRESS

normalcy

Just to answer my own question, as usual the problem was PEBKAC.

I had opened the syslog monitor next to the parser window during testing and conflated the severity column in the syslog window with the severity tag in the parser window. 

A debug log reveled the match was missing on the severity and I realised the parser severity is a bit mask and not representative of the syslog window.  So a semantic difference with the same name.

Correcting that has the rules working now.

Cheers.