Events from syslog parser generated twice

Started by Dani@M3T, January 27, 2014, 07:47:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dani@M3T

January 27, 2014, 07:47:32 PM
I just started with syslog parser for the first time. At the moment I only have 3 rules to start:

<parser>
   <rules>
      <rule>
         <match>.*Due to active connection allowed exceeded.*</match>
         <event params="0">100832</event>
      </rule>
      <rule>
         <match>.*msg=(Administrator|User) (.*) from l2tp has logged in ZyWALL.*</match>
         <event params="2">100833</event>
      </rule>
      <rule>
         <match>.*msg=(Administrator|User) (.*) from l2tp has logged out ZyWALL.*</match>
         <event params="2">100834</event>
      </rule>
   </rules>
   <macros/>
</parser>

The first is ok.
But the 2. and the 3. are always generated twice. But in internal syslog there is only one entry. (see attachments)
My install is V1.2.11 (from sources) on linux.
Thanks for any help.

Victor Kirhenshtein

#1
January 28, 2014, 10:11:08 AM
Looks strange. I'll try your policy on my test system later today.

Best regards,
Victor

Dani@M3T

#2
January 28, 2014, 10:19:45 AM
Hi Victor

Thanks a lot. It looks strange for me too. No hurry in this case ;-)

Dani

Dani@M3T

#3
January 28, 2014, 05:55:03 PM
I have a follow up to this case.
I retested the same situation and double checked it in syslog and in internal log of the node. Now I see the log entries also twice (I don't drink anything  ;).
So they are generated twice by the original device. Definetively not a NetXMS fault. I don't understand why I saw this log entries only once yesterday (as you can see in the printscreen at the original post).....

Does someone has an idea for the log parser to only generate one event altough there are double entries in syslog?

thanks, Dani

Victor Kirhenshtein

#4
January 28, 2014, 07:08:54 PM
You cannot suppress second event from log parser but you can handle duplicate event differently. For example, you can set some custom attribute to the time stamp of received event, and ignore all next events if they are within certain time frame. Actual solution depends on how you are using those events.

Best regards,
Victor

Dani@M3T

#5
January 28, 2014, 07:15:04 PM
So I have to find a solution on level of events and not in the syslog parser. Is that what you mean?

Victor Kirhenshtein

#6
January 28, 2014, 07:20:22 PM
Yes, exactly. I can possibly suggest some if you tell me how you want to use those events.

Best regards,
Victor

Dani@M3T

#7
January 28, 2014, 07:21:55 PM
Hi Victor

Thanks a lot. Thats ok for the moment  :)

thanks, Dani
Print
Go Up Pages1
User actions