NetXMS Support Forum

Hello,
I post in a separate message.
I have this syslog parser rule:

<parser trace="1" name="ceph">
   <macros/>
   <rules>
      <rule name="backup in errore">
         <match repeatCount="0" repeatInterval="1">ERROR: Backup of (.*)</match>
         <event>GIA_BACKUP_ERROR</event>
         <agentAction action=""></agentAction>
      </rule>
      <rule name="eve4pve in errore">
         <match repeatCount="0" repeatInterval="1">eve4pve-barc: (.*)</match>
         <event>GIA_BACKUP_ERROR</event>
         <agentAction action=""></agentAction>
      </rule>
   </rules>
</parser>


First rule matches correctly. Second rule does not match but I am pretty sure that logline starts with "eve4-pve-barc:"
I have tried also with process=1.
Can you help me?
Thanks,
Mario

I also created a new event type for second rule.

In syslog browser I find all log lines with "eve4pve-barc: %"

I'm new to NetXMS but just tried a test and faked a syslog push with your eve4pve-barc: string, and it worked fine.

Mind you, I'm using the dev build of NetXMS (3.7/4.0) so it might have changed.

You may want to do a tcpdump (with the A and/or X option) on the NetXMS server of your port 514 traffic when these packets are coming in and see if there any some special characters that might be messing things up?

And thanks for the question, as it forced me to figure out how Syslog and custom events work in NetXMS. 

-Zeb

You gave me an idea.
I reproduced the exact error message and resent it using "logger" bash utility.
No alarms fired.
So I tried it in another host and this time it works!
It is incredible.
I have tcpdump, this one from host called "pvehpbig" works:

05:42:12.998464 IP 10.1.0.4.46393 > mon-netxms.syslog: SYSLOG user.notice, length: 48
        0x0000:  4500 004c 67fa 4000 4011 be5d 0a01 0004  E..Lg.@.@..]....
        0x0010:  0a01 0044 b539 0202 0038 064b 3c31 333e  ...D.9...8.K<13>
        0x0020:  4a61 6e20 2034 2030 363a 3434 3a31 3420  Jan..4.06:44:14.
        0x0030:  7076 6568 7062 6967 2065 7665 3470 7665  pvehpbig.eve4pve
        0x0040:  2d62 6172 633a 2070 726f 7661            -barc:.prova

This one from host called siippve1 does not work:

05:43:30.834995 IP 10.2.1.240.50964 > mon-netxms.syslog: SYSLOG user.notice, length: 48
        0x0000:  4500 004c 2b24 4000 3c11 fd46 0a02 01f0  E..L+$@.<..F....
        0x0010:  0a01 0044 c714 0202 0038 f1a6 3c31 333e  ...D.....8..<13>
        0x0020:  4a61 6e20 2034 2030 363a 3435 3a33 3220  Jan..4.06:45:32.
        0x0030:  7369 6970 7076 6531 2065 7665 3470 7665  siippve1.eve4pve
        0x0040:  2d62 6172 633a 2070 726f 7661            -barc:.prova

It seems the same message to me!
Mario

I solved the problem...
... if you have not the node with agent installed syslogparser receive log messages but it does not generate events!!!!

That makes sense!

You don't actually have to have the agent installed, but it does need to be a node in NetXMS.  You should be able to use SNMP and not strictly have to install the agent.  However, the agent does give you a lot more control over the node.