Discussion:
Zensyslog for 3com switches issue
Edgardo Rodriguez
2013-12-02 16:59:19 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75373#75373

--------------------------------------------------------------
Hi everybody, i am new at this forum but iÂŽve been using zenoss for a while.

The thing is that i have some issues with syslog processing for a particular model of 3com switches.

I opened this file:
*/opt/zenoss/Products/ZenEvents/SyslogProcessing.py*

where we can see regexs used to identify events components and distinguish host, timestamp, summary, etc.

3com model involved is 4500 with latest available firmware, the thing is how syslog are delivered, next i show an output took from *origsyslog.log*

+Dec 02 15:34:04 2013 hub-pila-0005 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:sistemas command:display ver+

With this particular device, i noticed that unit ID is sent right next to component string, this behaviour can not be modified within configuration itself, so the question is, has anybody been with something similar??

The file mentioned before shows that it spects and space between component and summary, this kind of log  violates this behaviour.

I dont know how to manipulate this using a transform...

Any help would be appreciated, thanks in advance.

Regards,
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75373#75373]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-12-02 17:13:47 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75375#75375

--------------------------------------------------------------
I think you are better of using snmp traps for this.
However, if you insist on using syslog, you can use rsyslog or syslog-ng on the default syslog port and zensyslog on another port (eg. syslogport 8514 in /opt/zenoss/etc/zensyslog.conf ). Then you can use rsyslog to rewrite the message and forward it to @127.0.0.1:8514
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75375#75375]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-02 17:53:50 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75376#75376

--------------------------------------------------------------
Do you know how can i configure rsyslog for doing that?? The only experience i have is configure to accept incoming logs and destination files.. But never for rewriting ...

thanks!
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75376#75376]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-12-02 18:40:14 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75377#75377

--------------------------------------------------------------
I'd have to trial and error myself...

maybe you have to use an external script to parse the message and forward it to zensyslog, like in http://www.rsyslog.com/doc/omprog.html http://www.rsyslog.com/doc/omprog.html .
syslog-ng offers https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/en/syslog-ng-ose-v3.3-guide-admin-en/html/rewrite-replace.html
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75377#75377]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-02 20:47:12 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75378#75378

--------------------------------------------------------------
Thanks for your searching and help.
I still prefer syslogging in this case, and i'll if anyone can light me...

I think it should be one method for bypassing this situation using some kind of event transform...

Thanks again,

Regards.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75378#75378]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-12-03 14:14:26 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75381#75381

--------------------------------------------------------------
Edgardo,
Not sure what the issue is at this point.  Is you syslog coming in as:
+Dec 02 15:34:04 2013 hub-pila-0005 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:sistemas command:display ver+

And you stated that the unit ID is sent right next to component string?  What is the unit ID (hub-pila-0005) and what is the component?

--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75381#75381]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-12-03 14:18:11 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75382#75382

--------------------------------------------------------------
Hi,

you can also use zensendevent to create a new event after parsing the incoming syslog event.
http://wiki.zenoss.org/Zensendevent_in_Zenoss_4.2.3 http://wiki.zenoss.org/Zensendevent_in_Zenoss_4.2.3

then set the incoming syslog event._action = 'drop'
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75382#75382]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-03 14:36:57 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75383#75383

--------------------------------------------------------------
Hi Rob!

Taking this event as example:
+Dec 02 15:34:04 2013 hub-pila-0005 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:sistemas command:display ver+

+So..+
++%%10SHELL/5/CMD(l):    + *(?P<component>\S+)-\d-\S+)*+
++task:vt0 ip:10.223.168.132 user:sistemas command:display ver+*     (?P<summary>.*)*+

+*Zenoss usually spects and space between them but in this case there is a "- 1 -", this is unit id (this id is from device itself, nothing to do with zenoss), hub-pila-0005 is deviceÂŽs name.*+

+*Thanks!
*+
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75383#75383]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-12-03 14:46:59 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75384#75384

--------------------------------------------------------------
So are you wanting to just strip the unit id out so you are left with the component and summary?
ie:
^\w{3}\s\d{1,2}\s\d{1,2}:\d\d:\d\d\s\d{4}\s(?:.*\%%)(?P<component>.*?:)(?:-.*?-)(?P<summary>.*)

Would give you these 2 groups:
| component | 10SHELL/5/CMD(l): |
| summary | task:vt0 ip:10.223.168.132 user:sistemas command:display ver |

Or are you wanting to do something special in the transform to make the events unique somehow?
--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75384#75384]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-03 14:55:07 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75385#75385

--------------------------------------------------------------
ThatÂŽs actually what i need to do!!! Great! I need to strip the unit id,

where should i use
^\w{3}\s\d{1,2}\s\d{1,2}:\d\d:\d\d\s\d{4}\s(?:.*\%%)(?P<component>.*?:)(?:-.*?-)(?P<summary>.*)

?????


Thanks a lot.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75385#75385]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-12-03 15:03:37 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75386#75386

--------------------------------------------------------------
Would backup your */opt/zenoss/Products/ZenEvents/SyslogProcessing.py* file.
Then modify after line:
# generic mark
r"^(?P<summary>-- (?P<eventClassKey>MARK) --)",

and add:
# Edgardo 3Com Parser
r"^\w{3}\s\d{1,2}\s\d{1,2}:\d\d:\d\d\s\d{4}\s(?:.*\%%)(?P<component>.*?:)(?:-.*?-)(?P<summary>.*)",

You might need to recycle your zensyslog daemon. Then would monitor you /opt/zenoss/log/zensyslog.log file and try to create an event in your 3com device that would send the syslog, see if the event got picked up by your new parse in the log and verify event is what you want in the event console.
Make sense?

--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75386#75386]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-03 15:32:15 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75387#75387

--------------------------------------------------------------
It makes sense but doesnÂŽt work :(

This is how the event keeps showing..
I also restarted all zenoss daemons..

|
| Resource: | hub-cf50-09f1 (http://10.223.168.85:8080/zport/dmd/goto?guid=af0d3b93-ae43-459e-a9d3-5889b5853060) |
| Component: |
|
| Event Class: | /Unknown (http://10.223.168.85:8080/zport/dmd/Events/Unknown) |
| Status: | New |
| Message: | 2013 hub-cf50-09f1 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:admin command:display ver |
|
|
Event Management... |
|
| agent | zensyslog |
| component | null |
| dedupid | 10.223.168.29||/Unknown|3|2013 hub-cf50-09f1 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:admin command:display ver |
| eventClass | /Unknown (http://10.223.168.85:8080/zport/dmd/Events/Unknown) |
| eventClassKey |
|
| eventClassMapping |
|
| eventGroup | syslog |
| eventKey |
|
| eventState | New |
| evid | 000c296c-d526-b3de-11e3-5c2fc16fba34 |
| facility | 23 |
| message | 2013 hub-cf50-09f1 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:admin command:display ver |
| ntevid |
|
| priority | 4 |
| severity | 3 |
| summary | 2013 hub-cf50-09f1 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:admin command:display ver |
|
|
Device State... |
|
| DeviceClass | /Network/Switch (http://10.223.168.85:8080/zport/dmd/Devices/Network/Switch) |
| DeviceGroups |
|
| DevicePriority | Normal |
| Location | /TECO (http://10.223.168.85:8080/zport/dmd/Locations/TECO) |
| Systems |
|
| device | hub-cf50-09f1 (http://10.223.168.85:8080/zport/dmd/goto?guid=af0d3b93-ae43-459e-a9d3-5889b5853060) |
| ipAddress | 10.223.168.29 |
| monitor | localhost |
| prodState | Production |
|
|
Event Data... |
|
| clearid |
|
| count | 1 |
| firstTime | 2013-12-03 12:29:51 |
| lastTime | 2013-12-03 12:29:51 |
| ownerid |
|
| stateChange | 2013-12-03 12:29:51 |
|
|
Event Details... |
|
| manager | svv-cf50-0036.argentina.ads.fresenius.de |
| originalTime | Dec 3 15:29:51 |
| zenoss.device.device_class | /Network/Switch |
| zenoss.device.ip_address | 10.223.168.29 |
| zenoss.device.location | /TECO |
| zenoss.device.priority | 3 |
| zenoss.device.production_state | 1000 |
|
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75387#75387]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-12-03 16:12:38 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75388#75388

--------------------------------------------------------------
Edgardo,
Doesn't look like your syslog message contains the dec 02 x:x:x like expected from the syslog regex:
+Dec 02 15:34:04 2013 hub-pila-0005 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:sistemas command:display ver+

+But just has a year like:+
2013 hub-cf50-09f1 %%10SHELL/5/CMD(l):- 1 -task:vt0 ip:10.223.168.132 user:admin command:display ver

Maybe remove the first part of the regex and give it another shot:
^\d{4}\s(?:.*\%%)(?P<component>.*?:)(?:-.*?-)(?P<summary>.*)

Would go this route vs putting a transform in the /unknown event class so lets see if we can get it to work.
--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75388#75388]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-03 16:27:54 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75389#75389

--------------------------------------------------------------
You rock!! That works great!!

Now, do you think there is a way to address this by using a transform??
My point is that if i keep this file modified, i need to keep in mind this mod for future zenpacks o core upgrades..
Perhaps one day a zenpack need to modify SyslogProcessing.py and may fail or just remove my mod...
Do you get my point??
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75389#75389]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-12-03 16:40:31 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75390#75390

--------------------------------------------------------------
Understand your concern.  You might be able to reach our to someone like James Pulver (jmp242) on the forum about getting a parser added to future release for 3com.  Think they would want more samples than the one we were working on, but that is definately a possibility.

As for the transform question:
You want to be able to classify the events to an event class and hopefully just once - if you were to just forget about the parser we worked on, you would have to write a transform in the /unknown event class to look for one specific syslog event and then try to re-classify that event in the transform to move it into another event class not sure how that would work, but might.

By writing the parser, you are able to get an event and reclassify it (map it to it's final event class).  This will/should help in the future if you have multiple 3com event types that you want mapped to different event classes.  In a transform, this wouldn't be impossible, but would become more difficult depending on how many mappings you have.

Make sense?
--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75390#75390]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-03 18:08:08 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Zensyslog for 3com switches issue"

To view the discussion, visit: http://community.zenoss.org/message/75391#75391

--------------------------------------------------------------
Yes, by adding this regex now i will be able to reclassify these events as the they have a component.

I said that i wanted to use a transform instead of editing this file because of future releases or patchs. But it fully works for me this way,

thank you very mucho Rob.

Regards.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75391#75391]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...