Message Parsing for Newbie
Posted: Mon Feb 13, 2017 10:12 am
Hello,
I am pretty new to the Nagios Log Server, and am trying to learn about filters as method to clean up my logs.
To that end I have some questions that I am hoping you can help me with:
Included is a sample of some of my logs:
I noticed that the Severity Column for all for all of these entries are empty, yet I see them embedded in the message located in a string. For example in the third entry "%SW_MATM-4-MACFLAP_NOTIF:" The severity level seems to be 4. Is it possible with a filter to move that value to the severity field, and how would that be done?
Question 2:
I see that there is a Timestamp in the message as well as a column timestamp. I would think that one is when the message was generated by the device, and the other is when Nagios receives the message. Am I correct? I believe I am more interested in the device's timestamp. Is it possible to overwrite the Timestamp column with the message timestamp? If so how?
Question 3:
The beginning of each message has a <###>. Is there a purpose to that...If not can it be removed?
Thanks in advance
Bill
I am pretty new to the Nagios Log Server, and am trying to learn about filters as method to clean up my logs.
To that end I have some questions that I am hoping you can help me with:
Included is a sample of some of my logs:
Question 1:Timestamp Host Type Message
2017-02-13T09:42:55.524-05:00 #.#.#.# sysloglegacy <166>Feb 13 2017 09:42:55: %ASA-6-302021: Teardown ICMP connection for faddr #.#.#.#/0(LOCAL\lucas) gaddr #.#.#.#/41 laddr #.#.#.#/41
2017-02-13T09:42:54.972-05:00 system1.domain.net sysloglegacy <190>161373: Feb 13 09:42:53 EST5: %HA_EM-6-LOG: Mandatory.go_nondislp.tcl: GOLD EEM TCL policy for TestNonDisruptiveLoopback
2017-02-13T09:42:54.392-05:00 system2.domain.net sysloglegacy <188>130536314: Feb 13 14:42:53.398: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5665.73c2 in vlan 100 is flapping between port Gi2/0/12 and port Gi1/0/12
2017-02-13T09:42:54.328-05:00 10.74.0.4 sysloglegacy <166>Feb 13 2017 09:42:54: %ASA-6-302014: Teardown TCP connection 53243317 for outside:#.#.#.#/56342(LOCAL\achenmaer) to inside:#.#.#.#/445 duration 0:00:15 bytes 8239 TCP Reset-O (lachenmayer)
I noticed that the Severity Column for all for all of these entries are empty, yet I see them embedded in the message located in a string. For example in the third entry "%SW_MATM-4-MACFLAP_NOTIF:" The severity level seems to be 4. Is it possible with a filter to move that value to the severity field, and how would that be done?
Question 2:
I see that there is a Timestamp in the message as well as a column timestamp. I would think that one is when the message was generated by the device, and the other is when Nagios receives the message. Am I correct? I believe I am more interested in the device's timestamp. Is it possible to overwrite the Timestamp column with the message timestamp? If so how?
Question 3:
The beginning of each message has a <###>. Is there a purpose to that...If not can it be removed?
Thanks in advance
Bill