syslog parser

Started by mcc, June 28, 2014, 12:19:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

mcc

June 28, 2014, 12:19:45 AM
Hi,

I'm attempting to create a syslog parser without much success. So far I have:

- Verified syslog messages are being correctly received by the server. I can see many events in the syslog monitor from my devices.
- Created an Event Configuration item with ID 100002
- Created a new syslog parser with the following configuration:

Code Select
<parser name="">
   <rules>
      <rule>
         <match>LOGIN_FAILED.*</match>
         <event params="0">100002</event>
      </rule>
   </rules>
   <macros/>
</parser>


- Created an Event Processing policy with the following information:
Condition -> Events match 100002
Condition -> Severity Filter all items checked
Action -> Alarm create new alarm with an alarm timeout of 600 seconds

This configuration results in nothing occurring. Any insight into this would be appreciated.

mcc

#1
July 01, 2014, 10:12:51 PM
I couldn't get this working with the built-in syslog server. So, I disabled that and configured the OS syslog server to accept remote connections. I then configured LogWatch on the agent and created a parser file et al.

That setup works without issue for me. Not the cleanest implementation, but certainly doable.

migacz

#2
July 17, 2014, 11:48:59 AM
hi
i have a problem with syslog too. netxms 1.2.14 on w2k8r2 dont catch any syslog message
Print
Go Up Pages1
User actions