Sean Mueller
2013-11-27 22:03:57 UTC
Sean Mueller [http://community.zenoss.org/people/smueller] created the discussion
"syslog parser for Adtran opti-6100 LMX"
To view the discussion, visit: http://community.zenoss.org/message/75354#75354
--------------------------------------------------------------
I have a zenoss 4.2.3 system setup to receive syslog alerts from an Adtran opti-6100 LMX system. The messages are received, and appear in the zenoss event console, however, they are not being parsed correctly, and each message is being created as a new event, instead of repeat messages just adding to the counter field. In the zensyslog.log file I see the following for each message with debugs on. There is an ADTRAN regex, but its not matching for some reason, and the parser is not able to read the message. Any way to fix this?
2013-11-27 15:57:33,578 DEBUG zen.zensyslog: Queued event (total of 3) {'rcvtime': 1385589453.578764, 'firstTime': 1385589453.570585, 'severity': 3, 'facility': 1, 'agent': 'zensyslog', 'summary': 'Nov 27 2013 15:57:40 192.168.13.20 19979,55487,11/27/13,15:57,OMM-48L,1-HS1-S12-1-3-1-20,Alert,RFI-V,0,0,0', 'priority': 4, 'manager': 'monitor.xitcomm.lan', 'eventGroup': 'syslog', 'device': '192.168.13.20', 'lastTime': 1385589453.570585, 'ipAddress': '192.168.13.20', 'monitor': 'localhost'}
2013-11-27 15:57:33,594 DEBUG zen.Syslog: host=192.168.13.20, ip=192.168.13.20
2013-11-27 15:57:33,595 DEBUG zen.Syslog: <10>Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0
2013-11-27 15:57:33,595 DEBUG zen.Syslog: fac=1 pri=2
2013-11-27 15:57:33,595 DEBUG zen.Syslog: facility=1 severity=5
2013-11-27 15:57:33,596 DEBUG zen.Syslog: Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0
2013-11-27 15:57:33,596 DEBUG zen.Syslog: Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0
2013-11-27 15:57:33,596 DEBUG zen.Syslog: tag regex: ^(?P<summary>-- (?P<eventClassKey>MARK) --)
2013-11-27 15:57:33,596 DEBUG zen.Syslog: tag regex: ^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: (?P<eventClassKey>[^:]+): (?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: ^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(?P<eventClassKey>\S+): (?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: %(?P<eventClassKey>(?P<component>\S+)-\d-\S+): *(?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: ^(?P<ipAddress>\S+)\s+(?P<summary>(?P<eventClassKey>CisACS_\d\d_\S+)\s+(?P<eventKey>\S+)\s.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: device_id=\S+\s+\[\S+\](?P<eventClassKey>\S+\d+):\s+(?P<summary>.*)\s+\((?P<originalTime>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\)
2013-11-27 15:57:33,598 DEBUG zen.Syslog: tag regex: ^\[[^:]+: (?P<component>[^:]+)[^\]]+\]: (?P<summary>.*)
2013-11-27 15:57:33,598 DEBUG zen.Syslog: tag regex: (?P<component>\S+)\[(?P<pid>\d+)\]:\s*(?P<summary>.*)
2013-11-27 15:57:33,598 DEBUG zen.Syslog: tag regex: (?P<component>\S+): (?P<summary>.*)
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^(?P<deviceModel>[^\[]+)\[(?P<deviceManufacturer>ADTRAN)\]:(?P<component>[^\|]+\|\d+\|\d+)\|(?P<summary>.*)
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^date=.+ (?P<summary>devname=.+ log_id=(?P<eventClassKey>\d+) type=(?P<component>\S+).+)
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^(?P<component>\S+)(\.|\s)[A-Z]{3} \d \S+ \d\d:\d\d:\d\d-\d\d:\d\d:\d\d \d{5} \d{2} \d{5} \S+ \d{4} \d{3,5} (- )*(?P<summary>.*) \d{4} \d{4}
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^Process (?P<process_id>\d+), Nbr (?P<device>\d+\.\d+\.\d+\.\d+) on (?P<interface>\w+/\d+) from (?P<start_state>\w+) to (?P<end_state>\w+), (?P<summary>.+)
2013-11-27 15:57:33,600 DEBUG zen.Syslog: tag regex: ^\d+ \d+\/\d+\/\d+ \d+:\d+:\d+\.\d+ SEV=\d+ (?P<eventClassKey>\S+) RPT=\d+ (?P<summary>.*)
2013-11-27 15:57:33,600 DEBUG zen.Syslog: tag regex: ^\d+:\d+:(?P<component>[^:]+):\d+-\w{3}-\d{4} \d{2}:\d{2}:\d{2}\.\d+:[^:]+:\d+:\w+:(?P<eventClassKey>[^:]+):(?P<summary>.*)
2013-11-27 15:57:33,600 DEBUG zen.Syslog: tag regex: ^\d+-\w{3}-\d{4} \d{2}:\d{2}:\d{2}\.\d+:[^:]+:\d+:\w+:(?P<eventClassKey>[^:]+):(?P<summary>.*)
2013-11-27 15:57:33,600 INFO zen.Syslog: No matching parser: 'Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0'
2013-11-27 15:57:33,601 DEBUG zen.Syslog: No eventClassKey assigned
--------------------------------------------------------------
Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75354#75354]
Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
"syslog parser for Adtran opti-6100 LMX"
To view the discussion, visit: http://community.zenoss.org/message/75354#75354
--------------------------------------------------------------
I have a zenoss 4.2.3 system setup to receive syslog alerts from an Adtran opti-6100 LMX system. The messages are received, and appear in the zenoss event console, however, they are not being parsed correctly, and each message is being created as a new event, instead of repeat messages just adding to the counter field. In the zensyslog.log file I see the following for each message with debugs on. There is an ADTRAN regex, but its not matching for some reason, and the parser is not able to read the message. Any way to fix this?
2013-11-27 15:57:33,578 DEBUG zen.zensyslog: Queued event (total of 3) {'rcvtime': 1385589453.578764, 'firstTime': 1385589453.570585, 'severity': 3, 'facility': 1, 'agent': 'zensyslog', 'summary': 'Nov 27 2013 15:57:40 192.168.13.20 19979,55487,11/27/13,15:57,OMM-48L,1-HS1-S12-1-3-1-20,Alert,RFI-V,0,0,0', 'priority': 4, 'manager': 'monitor.xitcomm.lan', 'eventGroup': 'syslog', 'device': '192.168.13.20', 'lastTime': 1385589453.570585, 'ipAddress': '192.168.13.20', 'monitor': 'localhost'}
2013-11-27 15:57:33,594 DEBUG zen.Syslog: host=192.168.13.20, ip=192.168.13.20
2013-11-27 15:57:33,595 DEBUG zen.Syslog: <10>Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0
2013-11-27 15:57:33,595 DEBUG zen.Syslog: fac=1 pri=2
2013-11-27 15:57:33,595 DEBUG zen.Syslog: facility=1 severity=5
2013-11-27 15:57:33,596 DEBUG zen.Syslog: Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0
2013-11-27 15:57:33,596 DEBUG zen.Syslog: Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0
2013-11-27 15:57:33,596 DEBUG zen.Syslog: tag regex: ^(?P<summary>-- (?P<eventClassKey>MARK) --)
2013-11-27 15:57:33,596 DEBUG zen.Syslog: tag regex: ^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: (?P<eventClassKey>[^:]+): (?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: ^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(?P<eventClassKey>\S+): (?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: %(?P<eventClassKey>(?P<component>\S+)-\d-\S+): *(?P<summary>.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: ^(?P<ipAddress>\S+)\s+(?P<summary>(?P<eventClassKey>CisACS_\d\d_\S+)\s+(?P<eventKey>\S+)\s.*)
2013-11-27 15:57:33,597 DEBUG zen.Syslog: tag regex: device_id=\S+\s+\[\S+\](?P<eventClassKey>\S+\d+):\s+(?P<summary>.*)\s+\((?P<originalTime>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\)
2013-11-27 15:57:33,598 DEBUG zen.Syslog: tag regex: ^\[[^:]+: (?P<component>[^:]+)[^\]]+\]: (?P<summary>.*)
2013-11-27 15:57:33,598 DEBUG zen.Syslog: tag regex: (?P<component>\S+)\[(?P<pid>\d+)\]:\s*(?P<summary>.*)
2013-11-27 15:57:33,598 DEBUG zen.Syslog: tag regex: (?P<component>\S+): (?P<summary>.*)
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^(?P<deviceModel>[^\[]+)\[(?P<deviceManufacturer>ADTRAN)\]:(?P<component>[^\|]+\|\d+\|\d+)\|(?P<summary>.*)
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^date=.+ (?P<summary>devname=.+ log_id=(?P<eventClassKey>\d+) type=(?P<component>\S+).+)
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^(?P<component>\S+)(\.|\s)[A-Z]{3} \d \S+ \d\d:\d\d:\d\d-\d\d:\d\d:\d\d \d{5} \d{2} \d{5} \S+ \d{4} \d{3,5} (- )*(?P<summary>.*) \d{4} \d{4}
2013-11-27 15:57:33,599 DEBUG zen.Syslog: tag regex: ^Process (?P<process_id>\d+), Nbr (?P<device>\d+\.\d+\.\d+\.\d+) on (?P<interface>\w+/\d+) from (?P<start_state>\w+) to (?P<end_state>\w+), (?P<summary>.+)
2013-11-27 15:57:33,600 DEBUG zen.Syslog: tag regex: ^\d+ \d+\/\d+\/\d+ \d+:\d+:\d+\.\d+ SEV=\d+ (?P<eventClassKey>\S+) RPT=\d+ (?P<summary>.*)
2013-11-27 15:57:33,600 DEBUG zen.Syslog: tag regex: ^\d+:\d+:(?P<component>[^:]+):\d+-\w{3}-\d{4} \d{2}:\d{2}:\d{2}\.\d+:[^:]+:\d+:\w+:(?P<eventClassKey>[^:]+):(?P<summary>.*)
2013-11-27 15:57:33,600 DEBUG zen.Syslog: tag regex: ^\d+-\w{3}-\d{4} \d{2}:\d{2}:\d{2}\.\d+:[^:]+:\d+:\w+:(?P<eventClassKey>[^:]+):(?P<summary>.*)
2013-11-27 15:57:33,600 INFO zen.Syslog: No matching parser: 'Nov 27 2013 15:57:40 192.168.13.20 19980,55489,11/27/13,15:57,OMM-48L,1-HS2-S12-1-3-1-20,Major,UNEQ-V,0,0,0'
2013-11-27 15:57:33,601 DEBUG zen.Syslog: No eventClassKey assigned
--------------------------------------------------------------
Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75354#75354]
Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]