Event does not have an event class key

Discussion:

Event does not have an event class key

Troy Cunningham

2012-11-06 19:30:09 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69723#69723

--------------------------------------------------------------
I've been searching these forums something fierce for a clear and concise solution to this problem. Basically, I have some syslog events that enter into zenoss without an event class key, which does two things: 1) Classifies the event as /unknown and 2) makes it so that you cannot re-classify the event. Now before someone says you should read "Zenoss Event Manager" I can tell you that I've read through the relevant section and understood very little of it. I'm not a zenoss, perl or python guru. Still, I did the research and saw people trying to do regex fixes, or transforms (none of which I could decode for my life) and a lot of people saying those solutions were wrong. So how do you fix this problem?

I am running Zenoss 3.2.1 Community on Ubuntu 10.04.3 LTS (For which there is no release of Zenoss 4.x)

If the incoming syslog message is parsed (and it is) it makes sense to me that we should be able to either a) take another section of the message and create an "event class key" or, assign a default "event class key" to incoming messages that are lacking them. Is this possible? How could I do such a thing (keeping in mind my level of knowledge)?

Thanks,
Troy
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69723#69723]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

jmp242

2012-11-06 19:49:21 UTC

jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69724#69724

--------------------------------------------------------------
You'd have to create a transform, and I don't think it is "wrong", it's just not ideal. Anyway, you'll need to set the transform in the /Unknown class if I recall correctly, and match on something useful in the event, and then change the event class, and whatever else you want. You'll have to do a little python, but it's easy. Of course, without the event details, and environment details such as the event class you want it to end up in, we can't really get more specific.

--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69724#69724]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Troy Cunningham

2012-11-06 20:04:02 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69725#69725

--------------------------------------------------------------
So let's take a practical example that I'm working on, for a failed authentication to a switch. Here's the syslog message

"10.1.1.1 SSH access by baduser from src IP 10.1.1.2, src MAC afaf.afaf.afaf rejected, 3 attempt(s)"

Ideally to my mind, I would want to create an expression that flags for the word *access* and *rejected*. Should they both exist in the message, then drop it into a class, say /Security/Login/Fail.

What would a transform look like for that?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69725#69725]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Troy Cunningham

2012-11-07 15:57:26 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69745#69745

--------------------------------------------------------------

import re
match = re.search('access' and 'rejected', evt.message)
Â Â Â evt.severity = 4
Â Â Â evt.eventClass = "/Security/Auth/Login/Fail"

Now, I set this in /Unknown and created an event class mapping (called Rejected), and I added the aforementioned bit of code in the transform. That doesn't seem to work for me, and I saw a similar thing in another post, and it didn't work for him either.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69745#69745]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

nilie

2012-11-07 20:28:21 UTC

nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69750#69750

--------------------------------------------------------------
I would suggest you to take a look at event mapping. It will take you a long way before you will be forced to write any transform. In my humble opinion this is one of the best features offered by Zenoss that you will not find in any other NMS.
Here's the steps you should take :
* create an event class for this type of syslog message or use an existing one, it's up to you
* map one of these events to this event class class so you can have something like a template to start with.
* edit the properties of this event class to further customize it according to your needs. You don't need much programming knowledge to do this.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69750#69750]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

nilie

2012-11-07 20:31:23 UTC

nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69751#69751

--------------------------------------------------------------
Sorry, I wanted to say map one of these syslog messages classified as unknown to the event class you created or have chosen.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69751#69751]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Troy Cunningham

2012-11-07 20:36:33 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69766#69766

--------------------------------------------------------------
These events can't be mapped out of the box because they lack and "event class key." If you attempt to map it, zenoss will return and error like "1 event does not have an event class key. Created 0 event mappings"
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69766#69766]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

hydruid

2012-11-07 21:12:09 UTC

hydruid [http://community.zenoss.org/people/hydruid] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69767#69767

--------------------------------------------------------------
Troy,

Try This:
1. Click Events -> Event Classes -> Unknown
2. EventClass Mappings -> Add Mapping...
3. ID = Troy-01
4. Click Edit
5. Set Transform = evt.eventClassKey.startswith('First Few Words of Event')
6. Save

Then check to see if the new events have an eventClassKey

Hydruid
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69767#69767]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Troy Cunningham

2012-11-08 16:51:20 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69779#69779

--------------------------------------------------------------
Same non-result as the code I posted before.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69779#69779]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

hydruid

2012-11-08 19:09:06 UTC

hydruid [http://community.zenoss.org/people/hydruid] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69781#69781

--------------------------------------------------------------
Try changing the transform to this:

import re

match = re.search('SSH access by baduser', evt.message)
if match and device:
Â Â Â evt.severity = 1
Â Â Â evt.eventClass = "/Security/Auth/Login"
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69781#69781]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Troy Cunningham

2012-11-08 19:12:16 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69782#69782

--------------------------------------------------------------
Pretty similar, if I understant correctly, to my first bit of code, with the same results.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69782#69782]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

hydruid

2012-11-08 19:39:04 UTC

hydruid [http://community.zenoss.org/people/hydruid] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69783#69783

--------------------------------------------------------------
Troy,

My apologies I left out part of the code on the transform examle:

import re

match = re.search('SSH access by baduser', evt.message)
if match and device:
Â Â Â evt.severity = 1
Â Â Â evt.eventClassKey = "SSHD"
Â Â Â evt.eventClass = "/Security/Auth/Login"

Another solution would be to modify Zenoss's SyslogProcessing.py to assign a generic EventClassKey to all events that don't have one.

sudo vi /usr/local/zenoss/zenoss/Products/ZenEvents/SyslogProcessing.py

Modify the very bottom to match this:
else:
Â Â Â slog.debug("No eventClassKey assigned")
Â Â Â evt.eventClassKey = "SSHD"
return evt

However I'm not 100% sure that would work
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69783#69783]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Troy Cunningham

2012-11-08 20:00:17 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69784#69784

--------------------------------------------------------------
You see, therein lies my problem - the solutions you're proposing make perfect sense to me! But my research has shown that others have done the same thing to get naught. Reclassing the event in the syslogprocessing.py file, made zenoss to fail to get the message at all.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69784#69784]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

hydruid

2012-11-08 20:37:00 UTC

hydruid [http://community.zenoss.org/people/hydruid] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69787#69787

--------------------------------------------------------------
The biggest issue for me is that I don't have or use a syslog server. I'll see what I can do to set one up and test it so my recommendation will 100% sure work.

Give me a day or two :)
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69787#69787]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Doug Syer

2012-11-10 20:20:58 UTC

Doug Syer [http://community.zenoss.org/people/dsyer%40nwnit.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69831#69831

--------------------------------------------------------------
Before it goes unknown if there is no event class key generated, it goes through all the rules / regexes for all the event class mappings named default mapping.

Go into the event class you want to stick the event in and create a mapping called default mapping. For reference look at the one in /ignore.Â Make sure the sequence is lower than the /unknown class, just change the Sequence property of thr mApping you created to be lower. If yiu dont see the sequence number you named it wrong.Â I cant remember if its default_mapping od default mapping but you will see the Correct name of the mapping if you look in /ignore /archive or /unknown.

Once you set the sequence you can either catch thr event via a rule or regex.Â If you want to grab variables from the event summary to do something fancy then there are plent ly of examples out there.

To start, just to test, create a very simple rule on your new default mapping by going to thr rule field and saving:

('SSH access by' in evt.message)
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69831#69831]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

hydruid

2012-11-12 18:13:48 UTC

hydruid [http://community.zenoss.org/people/hydruid] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69857#69857

--------------------------------------------------------------
Troy,

I wanted to let you know that Doug Syer's response was correct, I was able to successfully map a syslog event.

I created a picture tutorial that is a little more clear, than his instructions. http://hydruid-blog.com/?p=84 You can see it here.

Have a good day!

Hydruid
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69857#69857]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Doug Syer

2012-11-12 19:13:03 UTC

Doug Syer [http://community.zenoss.org/people/dsyer%40nwnit.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69862#69862

--------------------------------------------------------------
you only needed to add it to default mapping because there is no event class key.Â sometimes I'll use it if an event source is enumerated somehow, like sql server instances ...

If you have a big enviornment or are short on resources, there is a performance penalty to using default mappings when you dont need to.Â

For a more complex rule, I use rules that look something like this, in order to further limit what types of events will be processed through the rule(for performance)

getattr(evt, 'agent', '') == 'zeneventlog' and any ( x in getattr(evt, 'component','').lower() for x in ["sqlagent", "mssql", "blah", "random windows event source", "random windows event source"])
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69862#69862]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

Troy Cunningham

2012-11-14 16:05:45 UTC

Troy Cunningham [http://community.zenoss.org/people/troy%40rideau.com] created the discussion

"Re: Event does not have an event class key"

To view the discussion, visit: http://community.zenoss.org/message/69912#69912

--------------------------------------------------------------
I tried this and at first it didn't work. I cleared out a whole bunch rules that I made to fix this and I still had problems. I noticed that when I put this under some pre-made subclasses it is problematic, but doing it as Hydruid pointed out worked for me.

Thanks a lot, I hope this helps other people as well!
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/69912#69912]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

17 Replies
1 View
Permalink to this page
Disable enhanced parsing

Thread Navigation

Troy Cunningham 2012-11-06 19:30:09 UTC

jmp242 2012-11-06 19:49:21 UTC

Troy Cunningham 2012-11-06 20:04:02 UTC

Troy Cunningham 2012-11-07 15:57:26 UTC

nilie 2012-11-07 20:28:21 UTC

nilie 2012-11-07 20:31:23 UTC

Troy Cunningham 2012-11-07 20:36:33 UTC

hydruid 2012-11-07 21:12:09 UTC

Troy Cunningham 2012-11-08 16:51:20 UTC

hydruid 2012-11-08 19:09:06 UTC

Troy Cunningham 2012-11-08 19:12:16 UTC

hydruid 2012-11-08 19:39:04 UTC

Troy Cunningham 2012-11-08 20:00:17 UTC

hydruid 2012-11-08 20:37:00 UTC

Doug Syer 2012-11-10 20:20:58 UTC

hydruid 2012-11-12 18:13:48 UTC

Doug Syer 2012-11-12 19:13:03 UTC

Troy Cunningham 2012-11-14 16:05:45 UTC

about - legalese

Loading...