Discussion:
EventClassKey
G. Xh.
2012-03-22 13:08:00 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65382#65382

--------------------------------------------------------------
Good Day

I'm using Zenoss core 3.x and for the Windows Clients i'm using the Snare Agent 4.0. Now i can sent my Events over the syslog protocol but when i will match a event to a EventClass, the EventClass is bound to the eventclasskey. Now my EventClassKeys are named like "Name" or "Anemldung". Is there any way to set the EventClassKey the same as the EventID under windows?

I hope you can help me

greetings
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65382#65382]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-03-26 07:30:51 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65466#65466

--------------------------------------------------------------
isn't there any help for me :-S?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65466#65466]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Shane Scott
2012-03-27 03:59:57 UTC
Permalink
Shane Scott [http://community.zenoss.org/people/hackman238] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65519#65519

--------------------------------------------------------------
G. Xh.:

Setting the eventClassKey via transform and/or event mapping is possible, but the big problem is that I don't think anyone here uses Snare. Can you post some examples of the syslog entries that aren't matching up well?

Best,
--Shane (Hackman238)
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65519#65519]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-03-29 06:42:16 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65606#65606

--------------------------------------------------------------
Well, if you take a look on this Event which is managed by the Snare Agent you can see that the EventID is right (EventID 593)
Loading Image... Loading Image...

But when this Event was sent to the Zenoss Core Server, the EventClassKey is not the EventID but it's a curious "erstellt" which means on german "created".
Loading Image... Loading Image...
But I'm sure that a few weeks before, the EventClassKey and the EventID where the same!

I hope you understand me and can help me

greetings
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65606#65606]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-11 06:27:01 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65814#65814

--------------------------------------------------------------
Hi everybody. I tried it today again but it still doesn't work! Has anyone a idea what I can trie? It's very important because I need it for my qualification..
thanks very much!
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65814#65814]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-11 14:08:37 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65820#65820

--------------------------------------------------------------
Have you pulled my document on Zenoss Event Management? http://community.zenoss.org/docs/DOC-3538 http://community.zenoss.org/docs/DOC-3538 . Section 4 looks at how zensyslog processes incoming syslog messages.  It sounds like it is that initial mapping that is going wrong and it is that that sets the eventClassKey.  It is SyslogProcessing.py in $ZENHOME/Products/ZenEvents that actually parses out the incoming message.

Another hint is to change the debug level fo the zensyslog daemon.  Change the logseverity to Debug to give more info and also set logorig True to log the original incoming messgae.

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65820#65820]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-11 14:32:44 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65823#65823

--------------------------------------------------------------
Hi Jcurry

I changed the debug level of the zensyslog daemon and i also set the logoring to true. But that doesn't solve my problem. What can I change on the SyslogProcessing.py that the EventID becomes the EventClassKey on Zenoss? Have you a idea?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65823#65823]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-11 15:59:15 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65824#65824

--------------------------------------------------------------
You need to look at the paper.  Figure 11 shows the regular expressions that will be tried, in order, to match your original syslog message.  Figure 16 shows how the eventClassKey field is determined.  Usually it gets set to the component attribute (as has happened in your case).  The component attribute generally gets set by the regexs shown in Fig 11.

Have a look at these and perhaps post the original incoming event that you should now find in $ZENHOME/log/.  You have set the logorig flag to True - you may also need to set the name of this logfile - I would suggest you put it in the same directory as the rest of the Zenoss logs.  Don't forget to recycle zensyslog before these logging changes will take place.

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65824#65824]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-12 07:01:10 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65846#65846

--------------------------------------------------------------
Thanks a lot. When i take a look in to the logfile then i can see this:

2012-04-12 08:41:37,380 DEBUG zen.Syslog: parseHEADER timestamp=Apr 12 08:41:40


2012-04-12 08:41:37,381 DEBUG zen.Syslog: pchs1136.sanacare.local MSWinEventLog 1 Security 285 Thu Apr 12 08:41:34 2012 528 Security NETZWERKDIENST Well Known Group Success Audit PCHS1136 An-/Abmeldung Erfolgreiche Anmeldung:     Benutzername: NETZWERKDIENST     Dom?ne: NT-AUTORIT?T     Anmeldekennung: (0x0,0x3E4)     Anmeldetyp: 5     Anmeldevorgang: Advapi       Authentifizierungspaket: Negotiate     Name der Arbeitsstation:      Anmelde-GUID: -   240


2012-04-12 08:41:37,381 DEBUG zen.Syslog: tag regex: ^(?P<summary>-- (?P<eventClassKey>MARK) --)


2012-04-12 08:41:37,381 DEBUG zen.Syslog: tag regex: ^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: (?P<eventClassKey>[^:]+): (?P<summary>.*)


2012-04-12 08:41:37,381 DEBUG zen.Syslog: tag regex: ^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*)


2012-04-12 08:41:37,381 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(?P<eventClassKey>\S+): (?P<summary>.*)


2012-04-12 08:41:37,381 DEBUG zen.Syslog: tag regex: %(?P<eventClassKey>(?P<component>\S+)-\d-\S+): (?P<summary>.*)


2012-04-12 08:41:37,381 DEBUG zen.Syslog: tag regex: ^(?P<ipAddress>\S+)\s+(?P<summary>(?P<eventClassKey>CisACS_\d\d_\S+)\s+(?P<eventKey>\S+)\s.*)


2012-04-12 08:41:37,382 DEBUG zen.Syslog: tag regex: device_id=\S+\s+\[\S+\](?P<eventClassKey>\S+\d+):\s+(?P<summary>.*)\s+\((?P<originalTime>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\)


2012-04-12 08:41:37,382 DEBUG zen.Syslog: tag regex: ^\[[^:]+: (?P<component>[^:]+)[^\]]+\]: (?P<summary>.*)


2012-04-12 08:41:37,382 DEBUG zen.Syslog: tag regex: (?P<component>\S+)\[(?P<pid>\d+)\]:\s*(?P<summary>.*)


2012-04-12 08:41:37,382 DEBUG zen.Syslog: tag regex: (?P<component>\S+): (?P<summary>.*)


2012-04-12 08:41:37,382 DEBUG zen.Syslog: tag match: {'component': 'Anmeldung', 'summary': '    Benutzername: NETZWERKDIENST     Dom\xe4ne: NT-AUTORIT\xc4T     Anmeldekennung: (0x0,0x3E4)     Anmeldetyp: 5     Anmeldevorgang: Advapi       Authentifizierungspaket: Negotiate     Name der Arbeitsstation:      Anmelde-GUID: -  \t240'}


2012-04-12 08:41:37,383 DEBUG zen.Syslog: eventClassKey=Anmeldung


2012-04-12 08:41:37,383 DEBUG zen.ZenSyslog: Queueing event {'firstTime': 1334212897.3801069, 'severity': 2, 'facility': 'user', 'eventClassKey': u'Anmeldung', 'component': 'Anmeldung', 'agent': 'zensyslog', 'summary': '    Benutzername: NETZWERKDIENST     Dom\xe4ne: NT-AUTORIT\xc4T     Anmeldekennung: (0x0,0x3E4)     Anmeldetyp: 5     Anmeldevorgang: Advapi       Authentifizierungspaket: Negotiate     Name der Arbeitsstation:      Anmelde-GUID: -  \t240', 'priority': 6, 'manager': 'SRVHS1023.sanacare.local', 'eventGroup': 'syslog', 'originalTime': 'Apr 12 08:41:40', 'device': 'pchs1136.sanacare.local', 'lastTime': 1334212897.3801069, 'ipAddress': '10.3.1.198', 'monitor': 'localhost'}


2012-04-12 08:41:37,383 DEBUG zen.ZenSyslog: Total of 1 queued events


2012-04-12 08:41:37,385 DEBUG zen.Syslog: host=pchs1136.sanacare.local, ip=10.3.1.198


2012-04-12 08:41:37,386 DEBUG zen.Syslog: <15>Apr 12 08:41:40 pchs1136.sanacare.local MSWinEventLog 0 Security 286 Thu Apr 12 08:41:34 2012 592 Security SYSTEM User Success Audit PCHS1136 Detaillierte ?berwachung Ein neuer Vorgangs wurde erstellt:     Neue Prozesskennung: 3372     Bilddateiname: C:\WINDOWS\system32\wbem\wmiprvse.exe     Erstellte Prozesskennung: 856     Benutzername: PCHS1136$     Dom?ne: CHSANAGR     Anmeldekennung: (0x0,0x3E7)     241

It's a log of a succesfull logon. on the first line you can see that the EventID is on there (528) but when Zenoss parse it, it takes not the EventID as the EventClassKey but it takes 'Anmelden' as the EventClassKey. Do you know how to parse the Event that it takes the EventID for the EventClassKEy?

Cheers
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65846#65846]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-04-11 17:30:38 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65826#65826

--------------------------------------------------------------
To me it looks like the Snare Agent is not forwarding messages in standard syslog format so Zenoss is lost trying to map the message. I would suggest to try to pre-process and reformat  the message some how before it is being fed to zensyslog daemon. It might be easier (and cleaner) to do it this way in the good old *nix tradition since you'll have less worries during future upgrades or migrations.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65826#65826]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-12 07:06:13 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65847#65847

--------------------------------------------------------------
Hi thanks for your answer.

But if you take a look on my configuration

Loading Image... Loading Image...
you can see that the syslogheader is enabled. I think the Snare Agent is forwarding it on the right format, isn't it?

cheers
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65847#65847]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-12 08:21:08 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65848#65848

--------------------------------------------------------------
nilie is correct.  It looks like the header isn't being parsed correctly.  I think you have Anmeldung as your component because it is the string preceding a colon(:) and your regex has matched on:
(?P<component>\S+): (?P<summary>.*)

Since your Snare panel does seem to have an alternate header option, I would at least start by trying that.

If this doesn't work, please make sure that you post the logfile with the original message in it, as well as the zensyslog file.

HTH,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65848#65848]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-12 08:49:39 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65837#65837

--------------------------------------------------------------
Ok now I understand it a little bit more. On my Snare Agent documentation I saw that the Snare Agent transmits the Event tab-separated. Maybe that's the problem, why the logs aren't parset correct?

I also tried now the alternate Syslog header. That doesn't work right also
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65837#65837]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-11 14:32:30 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/65822#65822

--------------------------------------------------------------
Hi Jcurry

I changed the debug level of the zensyslog daemon and i also set the logoring to true. But that doesn't solve my problem. What can I change on the SyslogProcessing.py that the EventID becomes the EventClassKey on Zenoss? Have you a idea?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65822#65822]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-26 13:41:40 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66068#66068

--------------------------------------------------------------
So now I had again time to take a look in that System

Now I started and createt an Event with the comandline

eventcreate /L Application /T Error /SO TESTSOURCE /ID 999 /D "That's an random Event"

After that the Event went to the Zenoss Core Event System and it becomes the EventClassKey:

MSWinEventLog

In the log I can see this:

2012-04-26 15:37:13,449 DEBUG zen.Syslog: parseHEADER timestamp=Apr 26 15:37:17
2012-04-26 15:37:13,449 DEBUG zen.Syslog: parseHEADER hostname=pchs1136.sanacare.local
2012-04-26 15:37:13,449 DEBUG zen.Syslog: MSWinEventLog[1]:Application 1830 Thu Apr 26 15:37:17 2012 999 TESTSOURCE Unknown User N/A Error PCHS1136 None That's an random Event 7
2012-04-26 15:37:13,449 DEBUG zen.Syslog: tag regex: ^\S+\s+MSWinEventLog\s+\d\s+Application\s+\d+\s+\S\S\S\s\S\S\S\s\d\d\s\d\d:\d\d:\d\d\s\d\d\d\d\s+(?P<component>\d\d\d)\s+(?P<summary>.+)$
2012-04-26 15:37:13,449 DEBUG zen.Syslog: tag regex: ^(?P<summary>-- (?P<eventClassKey>MARK) --)
2012-04-26 15:37:13,449 DEBUG zen.Syslog: tag regex: ^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: (?P<eventClassKey>[^:]+): (?P<summary>.*)
2012-04-26 15:37:13,449 DEBUG zen.Syslog: tag regex: ^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*)
2012-04-26 15:37:13,450 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(?P<eventClassKey>\S+): (?P<summary>.*)
2012-04-26 15:37:13,450 DEBUG zen.Syslog: tag regex: %(?P<eventClassKey>(?P<component>\S+)-\d-\S+): (?P<summary>.*)
2012-04-26 15:37:13,450 DEBUG zen.Syslog: tag regex: ^(?P<ipAddress>\S+)\s+(?P<summary>(?P<eventClassKey>CisACS_\d\d_\S+)\s+(?P<eventKey>\S+)\s.*)
2012-04-26 15:37:13,450 DEBUG zen.Syslog: tag regex: device_id=\S+\s+\[\S+\](?P<eventClassKey>\S+\d+):\s+(?P<summary>.*)\s+\((?P<originalTime>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\)
2012-04-26 15:37:13,450 DEBUG zen.Syslog: tag regex: ^\[[^:]+: (?P<component>[^:]+)[^\]]+\]: (?P<summary>.*)
2012-04-26 15:37:13,450 DEBUG zen.Syslog: tag regex: (?P<component>\S+)\[(?P<pid>\d+)\]:\s*(?P<summary>.*)
2012-04-26 15:37:13,450 DEBUG zen.Syslog: tag match: {'component': 'MSWinEventLog', 'pid': '1', 'summary': "Application 1830 Thu Apr 26 15:37:17 2012 999 TESTSOURCE Unknown User N/A Error PCHS1136 None That's an random Event 7"}
2012-04-26 15:37:13,451 DEBUG zen.Syslog: eventClassKey=MSWinEventLog
2012-04-26 15:37:13,451 DEBUG zen.ZenSyslog: Queueing event {'firstTime': 1335447433.447741, 'severity': 2, 'facility': 'user', 'eventClassKey': u'MSWinEventLog', 'component': 'MSWinEventLog', 'pid': '1', 'agent': 'zensyslog', 'summary': "Application 1830 Thu Apr 26 15:37:17 2012 999 TESTSOURCE Unknown User N/A Error PCHS1136 None That's an random Event 7", 'priority': 5, 'manager': 'SRVHS1023.sanacare.local', 'eventGroup': 'syslog', 'originalTime': 'Apr 26 15:37:17', 'device': 'pchs1136.sanacare.local', 'lastTime': 1335447433.447741, 'monitor': 'localhost'}
2012-04-26 15:37:13,451 DEBUG zen.ZenSyslog: Total of 1 queued events
2012-04-26 15:37:19,936 DEBUG zen.Syslog: host=pchs1136.sanacare.local, ip=10.3.1.198
2012-04-26 15:37:19,937 DEBUG zen.Syslog: <13>Apr 26 15:37:23 pchs1136.sanacare.local MSWinEventLog[1]:Security     1831     Thu Apr 26 15:37:23 2012     861     Security     NETZWERKDIENST     Well Known Group     Failure Audit     PCHS1136     Detaillierte Überwachung          Der Windows-Firewall hat eine Anwendung ermittelt, die eingehenden Datenverkehr abhört.        Name: -    Pfad: C:\WINDOWS\system32\svchost.exe    Prozesskennung: 1508    Benutzerkonto: NETZWERKDIENST    BenutzerdomÀne: NT-AUTORITÄT    Dienst: Ja    RPC-Server: Nein    IP-Version: IPv4    IP-Protokoll: UDP    Portnummer: 53530    Zugelassen: Nein    Benutzer benachrichtigt: Nein       1813

There I can see that the parsing is not going well and so I tried so add a new regex-rule
Than I found this:

# SNARE windows msg
r"MSWinEventLog\s\d\s(?P<component>\D+?)\s\d+?\s\w\w\w\s\w\w\w\s\d\d\s\d\d:\d\d\s\d\d\d\d\s(?P<ntevid>\d+?)\s(?P<summary>.*)",

I wrote that to the SyslogProcessing.py but it doesnt help.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66068#66068]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-26 15:55:05 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66083#66083

--------------------------------------------------------------
You can see that your regex is tried (first) but discarded as the next regex is tried.
For starters, your native log starts with MSWinEventLog[1] - there is nothing in your regex to match the square brackets (and a square bracket is a meta character so you will need to escape it). Try:

r"MSWinEventLog\[\d+\]:\w+\s+(?P<component>\D+?)\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)",

Absolutely no promises...
Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66083#66083]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 06:05:03 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66102#66102

--------------------------------------------------------------
OK, I tried your string but the same failure

2012-04-27 08:01:58,536 DEBUG zen.Syslog: parseHEADER timestamp=Apr 27 08:02:12
2012-04-27 08:01:58,536 DEBUG zen.Syslog: parseHEADER hostname=pchs1136
2012-04-27 08:01:58,536 DEBUG zen.Syslog: MSWinEventLog[1]:Security 118 Fri Apr 27 08:02:12 2012 861 Security NETZWERKDIENST Well Known Group Failure Audit PCHS1136 Detaillierte Überwachung Der Windows-Firewall hat eine Anwendung ermittelt, die eingehenden Datenverkehr abhört. Name: - Pfad: C:\WINDOWS\system32\svchost.exe Prozesskennung: 1512 Benutzerkonto: NETZWERKDIENST BenutzerdomÀne: NT-AUTORITÄT Dienst: Ja RPC-Server: Nein IP-Version: IPv4 IP-Protokoll: UDP Portnummer: 54437 Zugelassen: Nein Benutzer benachrichtigt: Nein 87
2012-04-27 08:01:58,536 DEBUG zen.Syslog: tag regex: MSWinEventLog\[\d+\]:\w+\s+(?P<component>\D+?)\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)
2012-04-27 08:01:58,536 DEBUG zen.Syslog: tag regex: ^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*)
2012-04-27 08:01:58,537 DEBUG zen.Syslog: tag regex: MSWinEventLog\s\d\s(?P<component>\D+?)\s\d+?\s\w\w\w\s\w\w\w\s\d\d\s\d\d:\d\d\s\d\d\d\d\s(?P<ntevid>\d+?)\s(?P<summary>.*)
2012-04-27 08:01:58,537 DEBUG zen.Syslog: tag regex: ^(?P<summary>-- (?P<eventClassKey>MARK) --)
2012-04-27 08:01:58,537 DEBUG zen.Syslog: tag regex: ^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: (?P<eventClassKey>[^:]+): (?P<summary>.*)
2012-04-27 08:01:58,537 DEBUG zen.Syslog: tag regex: ^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*)
2012-04-27 08:01:58,537 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(?P<eventClassKey>\S+): (?P<summary>.*)
2012-04-27 08:01:58,537 DEBUG zen.Syslog: tag regex: %(?P<eventClassKey>(?P<component>\S+)-\d-\S+): (?P<summary>.*)
2012-04-27 08:01:58,537 DEBUG zen.Syslog: tag regex: ^(?P<ipAddress>\S+)\s+(?P<summary>(?P<eventClassKey>CisACS_\d\d_\S+)\s+(?P<eventKey>\S+)\s.*)
2012-04-27 08:01:58,538 DEBUG zen.Syslog: tag regex: device_id=\S+\s+\[\S+\](?P<eventClassKey>\S+\d+):\s+(?P<summary>.*)\s+\((?P<originalTime>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\)
2012-04-27 08:01:58,538 DEBUG zen.Syslog: tag regex: ^\[[^:]+: (?P<component>[^:]+)[^\]]+\]: (?P<summary>.*)
2012-04-27 08:01:58,538 DEBUG zen.Syslog: tag regex: (?P<component>\S+)\[(?P<pid>\d+)\]:\s*(?P<summary>.*)
2012-04-27 08:01:58,538 DEBUG zen.Syslog: tag match: {'component': 'MSWinEventLog', 'pid': '1', 'summary': 'Security 118 Fri Apr 27 08:02:12 2012 861 Security NETZWERKDIENST Well Known Group Failure Audit PCHS1136 Detaillierte \xdcberwachung Der Windows-Firewall hat eine Anwendung ermittelt, die eingehenden Datenverkehr abh\xf6rt. Name: - Pfad: C:\\WINDOWS\\system32\\svchost.exe Prozesskennung: 1512 Benutzerkonto: NETZWERKDIENST Benutzerdom\xe4ne: NT-AUTORIT\xc4T Dienst: Ja RPC-Server: Nein IP-Version: IPv4 IP-Protokoll: UDP Portnummer: 54437 Zugelassen: Nein Benutzer benachrichtigt: Nein 87'}
2012-04-27 08:01:58,538 DEBUG zen.Syslog: eventClassKey=MSWinEventLog
2012-04-27 08:01:58,538 DEBUG zen.ZenSyslog: Queueing event {'firstTime': 1335506518.5352819, 'severity': 2, 'facility': 'user', 'eventClassKey': u'MSWinEventLog', 'component': 'MSWinEventLog', 'pid': '1', 'agent': 'zensyslog', 'summary': 'Security 118 Fri Apr 27 08:02:12 2012 861 Security NETZWERKDIENST Well Known Group Failure Audit PCHS1136 Detaillierte \xdcberwachung Der Windows-Firewall hat eine Anwendung ermittelt, die eingehenden Datenverkehr abh\xf6rt. Name: - Pfad: C:\\WINDOWS\\system32\\svchost.exe Prozesskennung: 1512 Benutzerkonto: NETZWERKDIENST Benutzerdom\xe4ne: NT-AUTORIT\xc4T Dienst: Ja RPC-Server: Nein IP-Version: IPv4 IP-Protokoll: UDP Portnummer: 54437 Zugelassen: Nein Benutzer benachrichtigt: Nein 87', 'priority': 5, 'manager': 'SRVHS1023.sanacare.local', 'eventGroup': 'syslog', 'originalTime': 'Apr 27 08:02:12', 'device': 'pchs1136.sanacare.local', 'lastTime': 1335506518.5352819, 'monitor': 'localhost'}
2012-04-27 08:01:58,539 DEBUG zen.ZenSyslog: Total of 1 queued events

Component is still MSWinEventLog and EventClassKey is also still MsWinEventLog
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66102#66102]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-27 08:11:13 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66103#66103

--------------------------------------------------------------
I cannot generate your native event so I cannot test this.  The first line below I have put on extra spaces so it is easier to see which parts of the regex are matching wihich parts of your native line.  This first line is only to help understanding.  There should be no spaces in your SyslogProcessing.py. I have only added a couple of + signs to this version.

r"MSWinEventLog\[\d+\]:  \w+\s+  (?P<component>\D+?)\s+   \w+\s+  \w+\s+ \d+\s  \d+:\d+:\d+\s+   \d+\s+  (?P<ntevid>\d+?)\s+   (?P<summary>.*)",

So, this is what you should use in SyslogProcessing:

r"MSWinEventLog\[\d+\]:\w+\s+(?P<component>\D+?)\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d+\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)",

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66103#66103]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 08:41:00 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66104#66104

--------------------------------------------------------------
OK, now I added that to the SyslogProcessing.py script. My script now looks like this:

###########################################################################
#
# This program is part of Zenoss Core, an open source monitoring platform.
# Copyright (C) 2007, Zenoss Inc.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published by
# the Free Software Foundation.
#
# For complete information please visit: http://www.zenoss.com/oss/ http://www.zenoss.com/oss/
#
###########################################################################


__doc__ = """SyslogProcessing
Class for turning syslog events into Zenoss Events
"""


import re
import logging
slog = logging.getLogger("zen.Syslog")
import socket


import Globals
from Products.ZenEvents.syslog_h import *
from Products.ZenUtils.IpUtil import isip




# Regular expressions that parse syslog tags from different sources
# A tuple can also be specified, in which case the second item in the
# tuple is a boolean which tells whether or not to keep the entry (default)
# or to discard the entry and not create an event.
parsers = (
# generic mark
r"^(?P<summary>-- (?P<eventClassKey>MARK) --)",


# Windows Event Logs Snare
r"MSWinEventLog\[\d+\]:\w+\s+(?P<component>\D+?)\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d+\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)",


# Cisco UCS
# : 2010 Oct 19 15:47:45 CDT: snmpd: SNMP Operation (GET) failed. Reason:2 reqId (257790979) errno (42) error index (1)
r'^: \d{4} \w{3}\s+\d{1,2}\s+\d{1,2}:\d\d:\d\d \w{3}: (?P<eventClassKey>[^:]+): (?P<summary>.*)',


# ntsyslog windows msg
r"^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*)",

and then the rest of the code which is standard

Is the Code on the right place? Cause it's still the same result like how on the beginning.

I have the acutal version 4.0.1.2 from the snare agent installed and I generate the test events manually with the code for the commandline:
eventcreate /L Application /T Error /SO TestEvent /ID 999 /D "Das ist das Testevent"

cheers
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66104#66104]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-27 09:23:18 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66105#66105

--------------------------------------------------------------
Yes - it is in the right place.  You could see from your log file that the line was there - the first "tag regex" line.  We obviously still haven't quite got the correct regex to match your incoming line. Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66105#66105]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 09:24:46 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66106#66106

--------------------------------------------------------------
now I tried around a little bit with regex and I parsed this string:
MSWinEventLog[1]:Application 162 Fri Apr 27 10:56:33 2012 999 TestEvent Unknown User N/A Error PCHS1136 None Das ist das Testevent 6

with this regex:
MSWinEventLog\[\d+\]:\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+\s+\d+\s+\w+\s+\w+\s+\w+\s+\w+/\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\d+.

But my problem now is, that I dont know how to set the text in variable

Maybe I should explain the string:
This part MSWinEventLog\[\d+\]:\w+\s+ parses the string in to : MSWinEventLog[1]:Application

This part: MSWinEventLog\[\d+\]:\w+\s+\d+\s+\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+ parses the string in: MSWinEventLog[1]:Application 162 Fri Apr 27 10:56:33 2012
that means that after that party the next digit should set as EventClassKey or in ntevid. and all after that should be the summary

I think the end of this problem is not far away. I just have to know how to set this variables like (?P<component>\D+?) or (?P<summary>.*?)
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66106#66106]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-27 10:16:08 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66107#66107

--------------------------------------------------------------
Try this:
r"MSWinEventLog\[\d+\]:\w+\s+(?P<component>\d+?)\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d+\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)"

I have changed the \D after component to \d

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66107#66107]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 11:14:38 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66108#66108

--------------------------------------------------------------
YES!!

We are a step closer to the end.
Now the Component is a random number which is counting up and the EventClassKey is the [Component]_[EventID] for example 476_999

Is there a possibility that the component is for example Application, Security or System so the Event Log and the EventClassKey only the EventID
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66108#66108]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-27 11:23:19 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66109#66109

--------------------------------------------------------------
Component is the number that follows the logname - Application. Is that not what you want?  Not sure what you actually want the eventClassKey to be????

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66109#66109]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 11:33:55 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66110#66110

--------------------------------------------------------------
Ok I trie to explain it e little bit clearer

In the situation now, the Component is a number which Windows generates automaticly.
Loading Image... Loading Image...
If you take a look on the Eventstring you can see that the component is the number after Application
MSWinEventLog[1]:Application 536 Fri Apr 27 13:28:49 2012 999 TestEvent Unknown User N/A Error PCHS1136 None Das ist das Testevent 14

But I want that the Component is not this number after application but the word after [1]: that means in this string it is Application

And in the situation now the EventClassKey is this random number _ the eventID

take a look

Loading Image... Loading Image...

but my wish is it that the EventClassKey is just 999 without 536_ (536 is this automaticly generatet number of windows)

If you take a look on the Eventstring you can see that this number who I want to be the EventClassKey is after 2012, that means before the <summary>

do you understand?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66110#66110]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 11:44:06 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66111#66111

--------------------------------------------------------------
The problem with the EventClassKey I solved by myself.

I changed the
elif evt.has_key( 'ntevid'):
            evt['eventClassKey'] = "%s_%s" % (evt['component'],evt['ntevid'])

to

elif evt.has_key( 'ntevid'):
            evt['eventClassKey'] = evt['ntevid']

now there is just the problem with the Component
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66111#66111]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-04-27 12:08:16 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66113#66113

--------------------------------------------------------------
Try this:
r"MSWinEventLog\[\d+\]:(?P<component>\w+?)\s+\d+\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d+\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)"

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66113#66113]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 12:18:44 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66114#66114

--------------------------------------------------------------
Yes, thank you very much Jane! you're just great.

How you can see the problem is solved and that because of your help!

thank you very much
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66114#66114]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
G. Xh.
2012-04-27 11:59:11 UTC
Permalink
G. Xh. [http://community.zenoss.org/people/gx104] created the discussion

"Re: EventClassKey"

To view the discussion, visit: http://community.zenoss.org/message/66112#66112

--------------------------------------------------------------
OK I solved the problem with component also!!!


YES!!!! Thank you very very very much!!!

Here again the solution

insert in the SyslogProcessing.py following things:

# Windows Event Logs Snare
r"MSWinEventLog\[\d+\]:(?P<component>\w+?)\s+\d+\s+\w+\s+\w+\s+\d+\s\d+:\d+:\d+\s+\d+\s+(?P<ntevid>\d+?)\s+(?P<summary>.*)",

and

if evt.has_key('eventClassKey') or evt.has_key( 'eventClass'):
            return evt
        elif evt.has_key( 'ntevid'):
            evt['eventClassKey'] = evt['ntevid']
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66112#66112]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...