I had a similar problem. After reading a few other threads, here is what I ended up doing:
1. First I enabled debug messages and raw logging for zensyslog: Management -> Settings -> Daemons (Edit Config for zensyslog) I used these parameters. The first logs the original syslog message in its entirety (pre-processed), and the second I believe enables debugging messages. Code: #PARAMETER VALUE logorig 1 logseverity 10 I saved these and restarted zensyslog, then I could 'view log' for zensyslog and get more detail. 2. From the logs I could then see the regex statements that were being used: Code: 2008-10-21 12:32:11 DEBUG zen.Syslog: tag regex: ^(?P<component>.+)\[(?P<ntseverity>\D+)\] (?P<ntevid>\d+) (?P<summary>.*) 2008-10-21 12:32:11 DEBUG zen.Syslog: tag regex: %CARD-\S+:(SLOT\d+) %(?P<eventClassKey>\S+): (?P<summary>.*) 2008-10-21 12:32:11 DEBUG zen.Syslog: tag regex: %(?P<eventClassKey>(?P<component>\S+)-\d-\S+): (?P<summary>.*) 2008-10-21 12:32:11 DEBUG zen.Syslog: tag regex: ^(?P<ipAddress>\S+)\s+(?P<summary>(?P<eventClassKey>CisACS_\d\d_\S+)\s+(?P<eventKey>\S+)\s.*) 2008-10-21 12:32:11 DEBUG zen.Syslog: tag regex: device_id=\S+\s+\[\S+\](?P<eventClassKey>\S+\d+):\s+(?P<summary>.*)\s+\((?P<originalTime>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\) 2008-10-21 12:32:11 DEBUG zen.Syslog: tag regex: (?P<component>\S+)\[(?P<pid>\d+)\]:\s*(?P<summary>.*) 2008-10-21 12:32:11 DEBUG zen.Syslog: tag regex: (?P<component>\S+): (?P<summary>.*) 3. I compared those statements to my raw syslog messages and I could see then why I wasn't getting a regex match based on the regex patterns listed. 4. In my case I was able to reformat the syslog message from this: Code: Parameter Type Violation on server.domain.com from xxx.xxx.xxx.xxx To this: Code: MYCOMPONENTNAME: Parameter Type Violation on server.domain.com from xxx.xxx.xxx.xxx That allowed the parser to match the last very basic regex pattern and that gave me the component name, which gave me the eventclasskey, which allowed me to add an event mapping. Things that break or mess with this: 1. Not putting space after the colon 2. line feeds in the event message In my case I was fortunate that the sending device allowed me to modify the syslog message text. In cases where that cannot be modified, I would think that the next step is to modify the file: $ZENHOME/Products/ZenEvents/SyslogProcessing.py to add a new regex, but that's deep waters for me since I'm relatively new to zenoss/python/zope so maybe someone could provide details for this. It would be nice if at some point the preparse regex statements could be managed and added at the UI. My concerns with adding it to code is that either a) I'll forget about it or b) it will get overwritten in future build. That way community can contribute message formats in the future to expand the current default set. Hope that helps.... -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=26631#26631 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
