Discussion:
How to classify syslog events
Jon Dison
2013-07-23 17:56:57 UTC
Permalink
Jon Dison [http://community.zenoss.org/people/dison4linux] created the discussion

"How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74091#74091

--------------------------------------------------------------
I have several MikroTik routers configured to send their events to Zenoss via syslog.  The messages arrive but all as Event Class: /Unknown and thus all come in as Error instead of appropriately categorizing them into like Warning, Info, or Debug.

The XML output of what it looks like in the console is: <dedupid>MikroTik _Comp44|input|/Unknown|4|in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto TCP (SYN), 70.106.140.95:50302-&gt;50.129.#.##:49576, len 48</dedupid>
          <summary>in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto TCP (SYN), 70.106.140.95:50302-&gt;50.129.#.##:49576, len 48</summary>
          <message>in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto TCP (SYN), 70.106.140.95:50302-&gt;50.129.#.##:49576, len 48</message>
  <prodState>Production</prodState>
  <firstTime>2013-07-23 13:51:49</firstTime>
  <eventClassKey>input</eventClassKey>
  <agent>zensyslog</agent>



Whereas the syslog event itself looks more like

firewall,info denied by firewall input: in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto UDP, 96.120.28.193:67->255.255.255.255:68, len 328

My question is how can I classify these events into a "firewall" category searching for the "firewall," string in the stream?  I'd then like to classify the "firewall" events as Info so people know not to panic when they see them.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74091#74091]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jmp242
2013-07-23 18:00:31 UTC
Permalink
jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74092#74092

--------------------------------------------------------------
Can you use the event mapping proceedure to map it appropriately?

--
James Pulver
ZCA Member
CLASSE Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74092#74092]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Jon Dison
2013-07-23 18:06:00 UTC
Permalink
Jon Dison [http://community.zenoss.org/people/dison4linux] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74093#74093

--------------------------------------------------------------
I'd assume so.  I've found several examples and explanations on how to setup event mappings but I can't seem to follow them well enough to adapt the example to meet my needs.  Can someone give me a little step-by-step knowing that what we're trying to match on would be the "firewall,info" string at the beginning of the message.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74093#74093]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jmp242
2013-07-23 18:30:13 UTC
Permalink
jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74094#74094

--------------------------------------------------------------
Does the event show up in /Unknown in the Event console? If so, just click on one of them, click on the candlestick / mapping icon, create a mapping to the event class you want...  close existing events and see if that works.

--
James Pulver
ZCA Member
CLASSE Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74094#74094]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Jon Dison
2013-07-24 01:13:33 UTC
Permalink
Jon Dison [http://community.zenoss.org/people/dison4linux] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74111#74111

--------------------------------------------------------------
That works for some things, but some of the events come over where there's nothing in the "Component" field and thus the candlestick/mapping wizard refuses to add the rule.

The first word of the string is always the alert level (warning,debug,info,error,etc) I don't understand why its so difficult to preserve that.  Zenoss seems to mangle the message in an unpredicable manner.  If you look at the beginning of my post you can see that the first 6 words of the message do not show in the output and I'm having a hard time figuring out why.

I'm used to syslog servers such as Splunk where the messages just come through as they are and the severity is read from the beginning of the message.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74111#74111]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Jon Dison
2013-07-24 01:56:32 UTC
Permalink
Jon Dison [http://community.zenoss.org/people/dison4linux] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74113#74113

--------------------------------------------------------------
After more reading I'm now under the understanding that I need a line in the SyslogProcessing.py script that matches the syntax of how my messages come across from the MikroTik.  Are there any guides out there on how to do this without learning python from scratch?

An example line for a Cisco device is:

r"%(?P<eventClassKey>(?P<component>\S+)-\d-\S+): *(?P<summary>.*)",


So I need to figure out how to modify that to make it work for my messages that come across like:

subsystem,level message

where subsystem in my example = firewall
where level in my example = info
where message in my example describes the traffic being blocked by the firewall

so the delimeters are comma (,) and the space ( )

which should be pretty straight forward for a python guru I would think
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74113#74113]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jmp242
2013-07-24 12:57:29 UTC
Permalink
jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74116#74116

--------------------------------------------------------------
It's actually just using a regex, though I'm not really a python guru. It also looks like it's not getting the severity there... I don't think there is such a guide..

--
James Pulver
ZCA Member
CLASSE Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74116#74116]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-07-24 13:03:43 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74105#74105

--------------------------------------------------------------
Jon,
I have recently had to do this same procedure for our brocade devices.  To start, I would turn on debug for your syslog daemon (zensyslog debug) and find the actual message your zensyslog.log - it should look something like this "
2013-06-12 11:58:18,988 INFO zen.Syslog: No matching parser: 'xx.xx.xx.xx LB-HO-INT-T1, L4 server 1.1.1.1 web1 port 443 is down due to healthcheck'" with the no matching parser message in the line
If you post that back here, i can show you how to write the regex if you want.
--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74105#74105]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Jon Dison
2013-07-24 13:32:56 UTC
Permalink
Jon Dison [http://community.zenoss.org/people/dison4linux] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74118#74118

--------------------------------------------------------------
Here's what an entry looks like in the log with debug set.  See my original post for what the actaul syslog message looks like for a similar event.

2013-07-24 09:30:59,936 DEBUG zen.zensyslog: Queued event (total of 2) {'count': 2, 'rcvtime': 1374672659.936806, 'firstTime': 1374672659.113021, 'severity': 4, 'facility': None, 'eventClassKey': u'input', 'component': 'input', 'agent': 'zensyslog', 'summary': 'in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto UDP, 96.120.28.193:67->255.255.255.255:68, len 328', 'priority': 3, 'manager': 'zenoss.comp44.com', 'eventGroup': 'syslog', 'device': '10.0.71.1', 'lastTime': 1374672659.932637, 'ipAddress': '10.0.71.1', 'monitor': 'localhost'}
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74118#74118]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-07-24 13:35:30 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74106#74106

--------------------------------------------------------------
Jon,
Did you not see the line for "no parser found"?  This doesn't look like the orginal message that is coming in, but the event that zenoss is sending up after trying to process?
--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74106#74106]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Jon Dison
2013-07-24 13:39:11 UTC
Permalink
Jon Dison [http://community.zenoss.org/people/dison4linux] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74119#74119

--------------------------------------------------------------
Yeah I've got a few of those too.. but the one above is incorrectly parsed so I'd like to learn how to change it.

2013-07-23 11:26:59,419 INFO zen.Syslog: No matching parser: 'system,info log action changed by admin'
2013-07-23 12:31:42,755 INFO zen.Syslog: No matching parser: 'system,info,account user admin logged in from 10.0.71.111 via ssh'
2013-07-23 13:36:16,365 INFO zen.Syslog: No matching parser: 'MikroTik [Comp44] log action changed by admin'
2013-07-23 13:40:20,459 INFO zen.Syslog: No matching parser: 'MikroTik [Comp44] log action changed by admin'
2013-07-23 13:40:30,092 INFO zen.Syslog: No matching parser: 'MikroTik [Comp44] log action changed by admin'
2013-07-23 13:44:15,711 INFO zen.Syslog: No matching parser: 'system,info log action changed by admin'
2013-07-23 14:11:53,500 INFO zen.Syslog: No matching parser: 'pptp,info TCP connection established from 123.151.149.222'
2013-07-23 14:43:48,499 INFO zen.Syslog: No matching parser: 'dhcp,info 71_Desktop_DHCP deassigned 10.0.71.114 from F0:4F:7C:5F:AF:98'
2013-07-23 14:48:37,956 INFO zen.Syslog: No matching parser: 'system,info filter rule changed by admin'
2013-07-23 17:30:40,194 INFO zen.Syslog: No matching parser: 'dhcp,info 71_Desktop_DHCP assigned 10.0.71.114 to F0:4F:7C:5F:AF:98'
2013-07-23 18:13:13,415 INFO zen.Syslog: No matching parser: 'pptp,info TCP connection established from 123.151.149.222'
2013-07-23 18:27:28,372 INFO zen.Syslog: No matching parser: 'dhcp,info 71_Desktop_DHCP deassigned 10.0.71.194 from 10:9A:DD:BE:BF:4E'
2013-07-23 18:42:51,751 INFO zen.Syslog: No matching parser: 'dhcp,info 71_Desktop_DHCP assigned 10.0.71.194 to 10:9A:DD:BE:BF:4E'
2013-07-23 19:47:11,607 INFO zen.Syslog: No matching parser: 'dhcp,info 71_Desktop_DHCP deassigned 10.0.71.193 from 90:18:7C:45:5C:C1'
2013-07-23 20:29:43,683 INFO zen.Syslog: No matching parser: 'dhcp,info 71_Desktop_DHCP assigned 10.0.71.193 to 90:18:7C:45:5C:C1'
2013-07-23 21:37:26,298 INFO zen.Syslog: No matching parser: 'system,info,account user admin logged out from 10.0.71.111 via ssh'
2013-07-23 22:16:56,407 INFO zen.Syslog: No matching parser: 'pptp,info TCP connection established from 123.151.149.222'
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74119#74119]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-07-25 14:11:55 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74144#74144

--------------------------------------------------------------
Jon,
Sorry, have been swamped w/ the job - So assuming your syslog is coming is as like this log (the HL200302 is the device that sent the syslog - zenoss added this) - You will probably want to verify by turning on debug:

2013-07-25 09:04:13,247 DEBUG zen.Syslog: HL200302 firewall,info denied by firewall input: in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto UDP, 96.120.28.193:67->255.255.255.255:68, len 328

You can add the 4th and 5th lines to your SyslogProcessing.py in the same spot:

# generic mark
r"^(?P<summary>-- (?P<eventClassKey>MARK) --)",

# Jon's Parser
r"^(?:.*)(?P<component>firewall)(?:,)(?P<summary>.*)(?:,\slen\s\d)",

# Cisco UCS

The event that is sent up looks like this:
2013-07-25 09:04:13,252 DEBUG zen.zensyslog: Queued event (total of 1) {'rcvtime': 1374761053.251883, 'firstTime': 1374761053.238079, 'severity': 2, 'facility': 5, 'eventClassKey': u'firewall', 'component': 'firewall', 'agent': 'zensyslog', 'summary': 'info denied by firewall input: in:ether1 out:(none), src-mac 00:01:5c:50:b2:41, proto UDP, 96.120.28.193:67->255.255.255.255:68', 'priority': 6, 'manager': 'x1appxxx', 'eventGroup': 'syslog', 'originalTime': 'Jul 25 09:04:13', 'device': 'hl200302', 'lastTime': 1374761053.238079, 'ipAddress': '1.1.1.1', 'monitor': 'localhost'}


Attaching the event console snapshot.
I am not sure this is exactly what you were asking for?  firewall as component and the rest the summary?
--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74144#74144]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
hydruid
2013-07-24 18:15:26 UTC
Permalink
hydruid [http://community.zenoss.org/people/hydruid] created the discussion

"Re: How to classify syslog events"

To view the discussion, visit: http://community.zenoss.org/message/74110#74110

--------------------------------------------------------------
Take a look at this post, it shows you how Create a Transform for unknown syslog events in Zenoss

http://hydruid-blog.com/?p=66 http://hydruid-blog.com/?p=66
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74110#74110]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...