Fixed
Details
Assignee
OpenNMS Bug Mailing ListOpenNMS Bug Mailing ListReporter
Antonio RussoAntonio RussoComponents
Fix versions
Affects versions
Priority
Major
Details
Details
Assignee
OpenNMS Bug Mailing List
OpenNMS Bug Mailing ListReporter
Antonio Russo
Antonio RussoComponents
Fix versions
Affects versions
Priority
MajorPagerDuty
PagerDuty
PagerDuty
Created July 30, 2009 at 2:36 PM
Updated March 24, 2011 at 9:18 AM
Resolved October 1, 2009 at 2:06 PM
I found that some syslogd messages are generated also if the non matching uei are going to be discarded.
Here is the configuration:
<?xml version="1.0"?>
<syslogd-configuration>
<configuration
syslog-port="10514"
new-suspect-on-message="false"
forwarding-regexp="^((.+?) (.*))\n?$"
matching-group-host="2"
matching-group-message="3"
discard-uei="DISCARD-MATCHING-MESSAGES"
/>
<!-- Use the following to convert UEI ad-hoc -->
<ueiList>
<!-- Juniper syslog messages -->
<ueiMatch>
<match type="regex" expression="(?s).*EVENT\s+UpDown\s+([A-Za-z0-9/.-])\s+index\s([0-9])\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s
->\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+<Broadcast\s+PointToPoint\s+Multicast\s+Localup>.*"/>
<uei>uei.opennms.org/vendor/Juniper/syslog/mcast/ipv4/l3VpnDown</uei>
</ueiMatch>
<ueiMatch>
<match type="regex" expression="(?s).*EVENT\s+UpDown\s+([A-Za-z0-9/.-])\s+index\s([0-9])\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s
->\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+<Broadcast\s+PointToPoint\s+Multicast>.*"/>
<uei>uei.opennms.org/vendor/Juniper/syslog/mcast/ipv4/l3VpnDown</uei>
</ueiMatch>
<ueiMatch>
<match type="regex" expression="(?s).*EVENT\s+UpDown\s+([A-Za-z0-9/.-])\s+index\s([0-9])\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s
->\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s+<Up Broadcast\s+PointToPoint\s+Multicast>.*"/>
<uei>uei.opennms.org/vendor/Juniper/syslog/mcast/ipv4/l3VpnUp</uei>
</ueiMatch>
<!-- Cisco syslog messages -->
<ueiMatch>
<match type="regex" expression="(?s).%EARL_L3_ASIC-(.?)-3-INTR_WARN😞.*)$" />
<uei>uei.opennms.org/vendor/cisco/syslog/earlL3AsicInterrupt</uei>
</ueiMatch>
<ueiMatch>
<match type="regex" expression="(?s).*%SYS-2-MALLOCFAIL:\s+(Memory\s+allocation\s+of\s+(\d+)\s+bytes\s+failed\s+from\s+((0x)?[0-9A-Fa-f]+)(,\s+po
ol\s+(.?))?,\s+alignment\s+(\d+)(.?Process\s*=\s*(.?)\s+ipl\s=\s*(\d+),\s*pid\s*=\s*(\d+))?).*" />
<uei>uei.opennms.org/vendor/cisco/syslog/mallocFailed</uei>
</ueiMatch>
<ueiMatch>
<match type="regex" expression="(?s).%(.?)(.*?).?-RESTART:\s(.*)" />
<uei>uei.opennms.org/vendor/cisco/syslog/restart</uei>
</ueiMatch>
<ueiMatch>
<match type="regex" expression="(?s).%OIR-\d-INSCARD\s:\s*(Card\s+inserted\s+in\s+slot\s+(\d+),\s+subcard\s+(\d+)).*" />
<uei>uei.opennms.org/vendor/cisco/syslog/cardInserted</uei>
</ueiMatch>
<ueiMatch>
<match type="regex" expression="(?s).%OIR-\d-INSCARD\s:\s*(Card\s+inserted\s+in\s+slot\s+(\d+),(\s)).*" />
<uei>uei.opennms.org/vendor/cisco/syslog/cardInserted</uei>
</ueiMatch>
<ueiMatch>
<match type="regex" expression="(?s).%SYS-\d-CONFIG_I\s:\s*(Configured\s+from\s+([a-zA-Z])\s+by\s([a-zA-Z])\s+on\s(.*))" />
<uei>uei.opennms.org/vendor/cisco/syslog/configChange</uei>
</ueiMatch>
<!-- Discard with no event any messages that did not match above -->
<ueiMatch>
<match type="regex" expression=".*"/>
<uei>DISCARD-MATCHING-MESSAGES</uei>
</ueiMatch>
</ueiList>
<hideMessage>
<hideMatch>
<match type="substr" expression="SECRET"/>
</hideMatch>
<hideMatch>
<match type="regex" expression=".(double|triple)secret."/>
</hideMatch>
</hideMessage>
</syslogd-configuration>
------------
As you can see all no matching events must be discarded.
------------
Well we have a lot of random generated syslogd events:
uei.opennms.org/syslogd/local5/Info
uei.opennms.org/syslogd/local5/Notice
uei.opennms.org/syslogd/local5/Warning