On Tue, Jul 19, 2005 at 01:16:54AM +0100, Thomas Mangin wrote:
>> Your PCRE is wacky and is probably wrong.
>> \S+? is not a valid sequence
$ python
import re
r = re.compile("System: Interface (\S+\s?\S+?) state (\S+)")
m = r.match("System: Interface ethernet 24, state up")
m.group(1)
'ethernet 24,'
m.group(2)
'up'
m = r.match("System: Interface ethernet24, state up")
m.group(1)
'ethernet24,'
m.group(2)
'up'
Nope, it is perhaps waky but valid :)
>> The problem is that the correlator will try to find an interface
>> literally called "ethernet 24". It has to be the interfaces.interface
>> field.
That what I was thinking as well.
I could filter those syslog message but I would rather prefer to not
rely on the trap.
Can anyone can think of a way to make the interface up/down status
working without SNMP Trap ?
> Not with this version, but I would say with later versions the
> handling of syslog messages will be different and you can put in a
> transform-set to lookup ethernet 24
I was more thinking of a way to do a change with a regex when the syslog
line is imported from the syslog table to the events table.
When looking at the structure syslog rule of the table I was surprised
to see that for the expression the number of field (interface, user,
state, info) is hardcoded.
I would say that ideally the table structure need to be changed to
something like:
syslog_types
+------------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+------------+------------+------+-----+---------+----------------+
| id | int(10) | | PRI | NULL | auto_increment |
| match_text | char(255) | | | | |
| interface | char(10) | | | | |
| type | int(10) | | | 1 | |
| pos | tinyint(3) | | | 1 | |
+------------+------------+------+-----+---------+----------------+
syslog_types_definition
+------------+------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+------------+------------+------+-----+---------+----------------+
| id | int(10) | | PRI | | |
| name | char(20) | | PRI | | |
| pos | char(20) | | | | |
| match | char(255) | | | | |
| replace | char(255) | | | | |
+------------+------------+------+-----+---------+----------------+
+----+-----------+-----+-------------------+--------------------+
| id | name | pos | match | replace |
+----+-----------+-----+-------------------+--------------------+
| 1 | interface | 1 | ethernet\s?(\S+) | GigabitEthernet$1 |
+----+-----------+-----+-------------------+--------------------+
or something the like.
(And please do not ask me to code it but I will have a look at what is
involved).
For the time being I think I will just try write a syslog rule which is
"droping" the line and rely on the trap.
Thomas
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jffnms-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jffnms-users
