Hi,
We also use syslog_ng, and installed sysedge on the syslog server for log file
monitoring.
After ng, we have some script to parse certain items in logwatch file.
Here we have stripped out the timestamps, to have Spectrum Alarm deduplication
feature in use for multiple alarms with the same content. You can extend the
deduplication on event customization for all sysedge PDU varbinds, but we use
sysedge also for a lot of other things.
Some examples of the sysedge.cf. we have in use for syslog. We have much
more entry's, because most are handled via sysedge.mon - Aview.
# Examples ERWIN
watch logfile 3 0x8 /log/watch/alert.log 'PIX-1-102001' 'MINOR: ### PIX power
failure or reload on mate ### ~0~minor~' '' 1
watch logfile 4 0x8 /log/watch/alert.log 'PIX-1-103001' 'MINOR: ### PIX no
response from mate ### ~CUSTOMER-SERVICE-SUP_GROUP~major~' '' 1
watch logfile 5 0x8 /log/watch/alert.log 'PIX-1-104001' 'MINOR: ### PIX
failover occurred ### ~0~minor~' '' 1
watch logfile 5 0x8 /log/watch/alert.log 'PIX-1-104002' 'MINOR: ### PIX
failover occurred ### ~0~minor~' '' 1
watch logfile 5 0x8 /log/watch/alert.log 'PIX-1-104003' 'MINOR: ### PIX
failover switch failed ### ~0~major~' '' 1
watch logfile 5 0x8 /log/watch/alert.log 'PIX-1-104004' 'MINOR: ### PIX
failover occurred ### ~0~minor~' '' 1
watch logfile 6 0x8 /log/watch/alert.log 'PIX-1-105001' 'MINOR: ### PIX
failover disabled by admin ### ~0~minor~' '' 1
#watch logfile 7 0x8 /log/watch/alert.log 'PIX-1-105005' 'MINOR: ### PIX lost
failover communication ### ~0~minor~' '' 1
watch logfile 8 0x8 /log/watch/dclan.log 'CDP-4-DUPLEX_MISMATCH' 'MINOR: ###
duplex mismatch ### ~0~minor~' '' 1
watch logfile 9 0x8 /log/watch/dclan.log 'CDP-4-NATIVE_VLAN_MISMATCH' 'MINOR
native VLAN mismatch ### ~0~minor~' '' 1
watch logfile 10 0x8 /log/watch/alert.log 'PIX-3-211001' 'MINOR: ### PIX memory
allocation error ### ~0~minor~' '' 1
In Spectrum, we have custom event rules, to handle all sysedge traps. We can
decide individually per sysedge row entry the Severity in Spectrum, and
separately the Severity of the notification ( with matrix when to send SMS,
Ticket, and alarm enrichment )
Some info of Event customization for Sysedge ->
sh-3.2$ pwd
/spectrum/custom/Events
-sh-3.2$ cat AlertMap | grep 0xffff102*
1.3.6.1.4.1.546.1.1.6.4 0xffff1020 1.3.6.1.4.1.546.11.1.1.2(18,0) \
1.3.6.1.4.1.546.1.1.6.1 0xffff1024 1.3.6.1.4.1.546.6.1.1.2(1,0) \
1.3.6.1.4.1.546.1.1.6.10 0xffff1028 1.3.6.1.4.1.546.15.1.1.1(1,0) \
1.3.6.1.4.1.546.1.1.6.7 0xffff1032 1.3.6.1.4.1.546.5.6.4.1.1(1,0) \
1.3.6.1.4.1.546.1.1.6.9 0xffff1036 1.3.6.1.4.1.546.6.1.1.2(1,0) \
1.3.6.1.4.1.546.1.1.6.11 0xffff1040 1.3.6.1.4.1.546.15.1.1.1(1,0) \
1.3.6.1.4.1.546.1.1.6.12 0xffff1044 1.3.6.1.4.1.546.15.1.1.1(1,0) \
1.3.6.1.4.1.546.1.1.6.13 0xffff1048 1.3.6.1.4.1.546.15.1.1.1(1,0) \
-sh-3.2$ cat EventDisp | grep 0xffff102*
0xffff1060 R Aprisma.EventCondition, "regexp({ VARDATA 3 }, { S
\"[Mm]inor|MINOR\" })", "0xffff1061 -:-", "regexp({ VARDATA 3 }, { S \"Service
Unavailable\" })", "0xffff1062 -:-", "regexp({ VARDATA 3 }, { S
\"[Mm]ajor|MAJOR\" })", "0xffff1062 -:-", "regexp({ VARDATA 3 }, { S
\"[Cc]ritical|CRITICAL\" })", "0xffff1063 -:-", "default", "0xffff1061 -:-"
0xffff1020 R Aprisma.EventCondition, "regexp({ VARDATA 18 }, { S \"CLEAR\"
})", "0xffff1250 -:-", "regexp({ VARDATA 105 }, { S \"[Ee]vent:|EVENT:\" })",
"0xffff1f30 -:-", "regexp({ VARDATA 105 }, { S \"[Mm]inor:|MINOR:\" })",
"0xffff1021 -:-", "regexp({ VARDATA 105 }, { S \"[Mm]ajor:|MAJOR:\" })",
"0xffff1022 -:-", "regexp({ VARDATA 105 }, { S \"[Cc]ritical:|CRITICAL:\" })",
"0xffff1023 -:-", "default", "0xffff1021 -:-"
0xffff1021 E 20 A 1,0xffff1021,17,105
0xffff1022 E 20 A 2,0xffff1022,17,105
0xffff1023 E 20 A 3,0xffff1023,17,105
0xffff1250 E 30 C 0xffff1021,17,105 C 0xffff1022,17,105 C 0xffff1023,17,105
0xffff1024 R Aprisma.EventCondition, "regexp({ VARDATA 1 }, { S
\"[Mm]inor:|MINOR:\" })", "0xffff1025 -:-", "regexp({ VARDATA 1 }, { S
\"[Mm]ajor:|MAJOR:\" })", "0xffff1026 -:-", "regexp({ VARDATA 1 }, { S
\"[Cc]ritical:|CRITICAL:\" })", "0xffff1027 -:-", "default", "0xffff1025 -:-"
0xffff1025 E 20 A 1,0xffff1025,1
0xffff1026 E 20 A 2,0xffff1026,1
0xffff1027 E 20 A 3,0xffff1027,1
0xffff1036 E 30 C 0xffff1025,1 C 0xffff1026,1 C 0xffff1027,1
0xffff1028 R Aprisma.EventCondition, "regexp({ VARDATA 2 }, { S
\"[Mm]inor:|MINOR:\" })", "0xffff1029 -:-", "regexp({ VARDATA 2 }, { S
\"[Mm]ajor:|MAJOR:\" })", "0xffff1030 -:-", "regexp({ VARDATA 2 }, { S
\"[Cc]ritical:|CRITICAL:\" })", "0xffff1031 -:-", "default", "0xffff1029 -:-"
0xffff1029 E 20 A 1,0xffff1029,1
0xffff1030 E 20 A 2,0xffff1030,1
0xffff1031 E 20 A 3,0xffff1031,1
0xffff1040 E 30 C 0xffff1029,1 C 0xffff1030,1 C 0xffff1031,1
0xffff1048 E 30 C 0xffff1029,1 C 0xffff1030,1 C 0xffff1031,1
0xffff1032 R Aprisma.EventCondition, "regexp({ VARDATA 7 }, { S
\"[Mm]inor:|MINOR:\" })", "0xffff1033 -:-", "regexp({ VARDATA 7 }, { S
\"[Mm]ajor:|MAJOR:\" })", "0xffff1034 -:-", "regexp({ VARDATA 7 }, { S
\"[Cc]ritical:|CRITICAL:\" })", "0xffff1035 -:-", "default", "0xffff1033 -:-"
0xffff1033 E 20 A 1,0xffff1033
0xffff1034 E 20 A 2,0xffff1034
0xffff1035 E 20 A 3,0xffff1035
0xffff1044 E 20 A 1,0xffff1044
-sh-3.2$
Some parts, out of our notification scripts
case $CAUSE in
ffff1021 | ffff1022 | ffff1023 )
SEVDES=`echo $EVENTMSG | awk -F "Monitor Description: " '{print$2}' |
awk -F "~" '{print$3}'`
;;
*)
SEVDES=`echo $EVENTMSG | awk -F"~" '{print $3}'`
;;
esac
case $MTYPE in
Host_systemEDGE | Host_Device)
EVENTMSG_SYS="`echo "$EVENTMSG" | awk -F "###" '{print$2}' | cut -c
0-400`"
# In case of the new description with pound signs
if [ ${#EVENTMSG_SYS} = 0 ]
then
case $CAUSE in
ffff1021 | ffff1022 | ffff1023)
EVENTMSG_SYS="`echo "$EVENTMSG" | awk -F "Matched Text: "
'{print$2}' | awk -F "Monitored File" '{print$1}' | sed s/*$// | cut -c 0-400
`" ;;
ffff1029 | ffff1030 | ffff1031)
EVENTMSG_SYS="`echo "$EVENTMSG" | awk -F "monitor description
called " '{print$2}' | awk -F "~" '{print$1}' | sed s/*$// | cut -c 0-400 `" ;;
ffff1025 | ffff1026 | ffff1027)
EVENTMSG_SYS="`echo "$EVENTMSG" | awk -F "monitor description
called " '{print$2}' | awk -F "~" '{print$1}' | sed s/*$// | cut -c 0-400 `" ;;
ffff1033 | ffff1034 | ffff1035)
EVENTMSG_SYS="`echo "$EVENTMSG" | awk -F "Monitor Description:
" '{print$2}' | awk -F "~" '{print$1}' | sed s/*$// | cut -c 0-400 `";;
ffff1063 )
EVENTMSG_SYS="`echo "$EVENTMSG" | awk -F "Var7" '{print$2}' |
awk -F "Var8" '{print$1}' | tr '\n' ';' | cut -c 0-400`";;
esac
fi
if [ ${#EVENTMSG_SYS} = 0 ]
then
#FAILOVER FOR EMPTY DESCRIPTIONS
case $CAUSE in
10f03 | 10f06 | 10009 | 10701 | 10012)
EVENTMSG_SYS="`echo "$PCAUSESM" | cut -c 0-400 `";;
*)
EVENTMSG_SYS="`echo "$EVENTMSG" | cut -c 0-64`";;
esac
fi
esac
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: woensdag 2 mei 2012 17:17
To: spectrum
Subject: [spectrum] Syslog
All
I have a requirement to feed selected syslog messages (cisco) from my central
syslog server to Spectrum.
I am running a rules based syslog server (syslog_ng) and can easily identify
log messages of interest and save them in a file.
In a past life, I used a CA NSM agent to tail the logfile and generate a
"syslog" trap into Spectrum. I would like to use a CA Sysedge agent this time
around to perform the same function.
Does anyone have a step by step setup document to accomplish this?
Dan Ellsweig
Enterprise Management Systems
Avon Products
1 Avon Plaza
Rye, NY 10580
---
To unsubscribe from spectrum, send email to
[email protected]<mailto:[email protected]> with the body: unsubscribe spectrum
[email protected]<mailto:[email protected]>
---
To unsubscribe from spectrum, send email to [email protected] with the body:
unsubscribe spectrum [email protected]
