I just started with syslog parser for the first time. At the moment I only have 3 rules to start:
<parser>
<rules>
<rule>
<match>.*Due to active connection allowed exceeded.*</match>
<event params="0">100832</event>
</rule>
<rule>
<match>.*msg=(Administrator|User) (.*) from l2tp has logged in ZyWALL.*</match>
<event params="2">100833</event>
</rule>
<rule>
<match>.*msg=(Administrator|User) (.*) from l2tp has logged out ZyWALL.*</match>
<event params="2">100834</event>
</rule>
</rules>
<macros/>
</parser>
The first is ok.
But the 2. and the 3. are always generated twice. But in internal syslog there is only one entry. (see attachments)
My install is V1.2.11 (from sources) on linux.
Thanks for any help.
Looks strange. I'll try your policy on my test system later today.
Best regards,
Victor
Hi Victor
Thanks a lot. It looks strange for me too. No hurry in this case ;-)
Dani
I have a follow up to this case.
I retested the same situation and double checked it in syslog and in internal log of the node. Now I see the log entries also twice (I don't drink anything ;).
So they are generated twice by the original device. Definetively not a NetXMS fault. I don't understand why I saw this log entries only once yesterday (as you can see in the printscreen at the original post).....
Does someone has an idea for the log parser to only generate one event altough there are double entries in syslog?
thanks, Dani
You cannot suppress second event from log parser but you can handle duplicate event differently. For example, you can set some custom attribute to the time stamp of received event, and ignore all next events if they are within certain time frame. Actual solution depends on how you are using those events.
Best regards,
Victor
So I have to find a solution on level of events and not in the syslog parser. Is that what you mean?
Yes, exactly. I can possibly suggest some if you tell me how you want to use those events.
Best regards,
Victor
Hi Victor
Thanks a lot. Thats ok for the moment :)
thanks, Dani