Highlighted
arunkyamaji Contributor.
Contributor.
678 views

HI, I am having trouble with syslog flexagent parser and i do not understand whats wrong in it events are not acting to that parser. please suggest any changes and subagent file is in flexagent/syslog.

<188>20915: Apr 13 08:52:31.137 MDT: %PLATFORM_STACKPOWER-4-UNBALANCED_PS: Switch 3's power stack has unbalanced power supplies

<187>735: *Apr 18 15:11:39.590 CST: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to up

<189>736: *Apr 18 15:11:40.596 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to up

<187>2532: Apr 13 10:52:31 EDT: %LINK-3-UPDOWN: Interface FastEthernet3/0/24, changed state to down

<185>1089104: Apr 13 10:52:30.190 EDT: %EARL-SW2_STBY-1-EXCESSIVE_PARITY_ERROR: EARL 0: Parity error detected in VRAM

<187>194957: Apr 13 10:52:31.207 EDT: %LINK-3-UPDOWN: Interface FastEthernet0/22, changed state to up

<189>194958: Apr 13 10:52:32.209 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/22, changed state to up

<189>45525: Apr 13 07:52:31 PDT: %MV64340_ETHERNET-5-LATECOLLISION: GigabitEthernet0/0, late collision error

<187>2385490: Apr 13 07:52:31.618 PDT: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi3/0/40: Power Controller reports Short detected

<189>1050311: *Aug  8 17:53:10.314 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/13, changed state to up

# FlexAgent Regex Configuration File

  1. do.unparsed.events=true

regex=\: (\\d+ \\S+\\s+\\d+ \\d\\d\:\\d\\d\:\\d\\d) \\w+\: %(ACLLOG)\\-(\\d+)\\-(ACLLOG_FLOW_INTERVAL)\: (.*)

  1. token.count=5

token[0].name=Device_Receipt_Time

token[0].type=TimeStamp

token[0].format=yyyy MMM dd HH\:mm\:ss

token[1].name=Facility

token[1].type=String

token[2].name=Level

token[2].type=String

token[3].name=INT_Code

token[3].type=String

token[4].name=Message

token[4].type=String

  1. submessage.messageid.token=Level
  2. submessage.token=Message

  1. event.deviceVendor=__getVendor("Cisco")
  2. event.deviceCustomString3Label=__stringConstant("CiscoCode")
  3. event.name=__stringConstant("ACL Rule Trigger")
  4. event.deviceCustomString5=__concatenate(Facility,"-",Level,"-",INT_Code)
  5. event.deviceEventClassId=__concatenate(Facility,"\:",INT_Code)
  6. event.deviceCustomString2Label=__stringConstant("CiscoFacility")
  7. event.deviceCustomString1Label=__stringConstant("Source Interface")
  8. event.deviceCustomString5Label=__stringConstant("CiscoAlertCode")
  9. event.deviceReceiptTime=Device_Receipt_Time
  10. event.deviceCustomString3=INT_Code
  11. event.deviceCustomString2=Facility
  12. event.deviceProduct=__stringConstant("NX-OS")
  13. event.deviceCustomNumber1Label=__stringConstant("Hit Count")

  1. event.deviceSeverity=_SYSLOG_PRIORITY
  2. severity.map.veryhigh.if.deviceSeverity=emerg,alert
  3. severity.map.high.if.deviceSeverity=crit,err
  4. severity.map.medium.if.deviceSeverity=warning,notice
  5. severity.map.low.if.deviceSeverity=info
  6. severity.map.verylow.if.deviceSeverity=debug

#l10n.filename.prefix=

  1. submessage.count=1

submessage[0].messageid=3

submessage[0].pattern.count=1

submessage[0].pattern[0].regex=Src IP\: (\\d+\\.\\d+\\.\\d+\\.\\d+), Dst IP\: (\\d+\\.\\d+\\.\\d+\\.\\d+), Src Port\: (\\d+), Dst Port\: (\\d+), Src Intf\: (\\S+), Protocol\: "(\\w+)"\\(\\d+\\), Hit\\-count \= (\\d+)

submessage[0].pattern[0].fields=event.sourceAddress,event.destinationAddress,event.sourcePort,event.destinationPort,event.deviceCustomString1,event.applicationProtocol,event.deviceCustomNumber1

arunkumar kyamaji
Labels (3)
Tags (1)
0 Likes
3 Replies
Respected Contributor.. Tobias Sundman Respected Contributor..
Respected Contributor..

Re: HI, I am having trouble with syslog flexagent parser and i do not understand whats wrong in it events are not acting to that parser. please suggest any changes and subagent file is in flexagent/syslog.

Some things to consider:

1. The syslog header is in fact broken so the syslog pre-parser (handled by the Connector before the parser file kicks in) might pass unexpected data to the actual parser file. I suggest turning on raw events to see what the events looks like when they are handled by the parser.

2. All characters escaped must be doubled-escaped, in your regex colon should be escaped twice as well.

3. Your second and fourth matching group are too specific, they will never match the logs you have provided.

If you provide us the raw events produced by the connector, we can help you further with the regex.

//Tobias
0 Likes
cmihuti1
New Member.

Re: HI, I am having trouble with syslog flexagent parser and i do not understand whats wrong in it events are not acting to that parser. please suggest any changes and subagent file is in flexagent/syslog.

This may be useful.

0 Likes
FrankV1 Super Contributor.
Super Contributor.

Re: HI, I am having trouble with syslog flexagent parser and i do not understand whats wrong in it events are not acting to that parser. please suggest any changes and subagent file is in flexagent/syslog.

Indeed doesn't look like a proper syslog header, which could be cause of your problems.

Best use the regex tool that comes with the connector to test the parser file. That way you can see exactly what part of the header gets chopped of before the event is passed to the flex parser.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.