NetXMS Support Forum

Have setup a syslog parser that generates an event. Then I created an event processing policy that looks for that event and then it triggers an action (in this case, SLACK notification)

In this case it's a "login failure" message, and in the syslog message it includes the user account and IP address trying to login.
I'm getting the notification come through just fine, but it doesn't include the syslog text. I need that to be parsed through the event chain so I can see exactly what the message said

I'm not sure what parameter to add, and where exactly to add it? Do I add it to the Event, the Action? or the Event Processing Policy?

Edit: Nevermind figured it out. It's at the bottom of this page for anyone wondering https://www.netxms.org/documentation/adminguide/log-monitoring.html

QuoteConsider the following line is received via syslog, or added to a monitored file:

24.04.2015 12:22:15 1 5 system,error,critical login failure for user testUser from 11.2.33.41 via ssh
We can extract username and login method from the syslog message, and pass it as parameters to an event with the following rule:

<match>system,error,critical login failure for user (.*) from .* via (.*)</match>
<event>10000</event>
Username will be sent to the event as %1, IP address will not be sent, and login method will be sent as %2.

I actually did want to match the IP address so I changed the 'match' field in the syslog parser to "system,error,critical login failure for user (.*) from (.*) via (.*)"

Then I change the Event Configuration to "Login Failure: %1 - %2 (%3)"
And the Action to have text "%n - %m %M" which ultimately results in a message such as the below when failing a login attempt

Office Router - Login Failure: SpamUser - 1.2.3.4 (ssh)