Madden, Joe
2017-07-18 15:11:18 UTC
Hi All,
We use a lot of syslog messages which we matching on process match, and Severity.
These configurations worked on v19 but not v20. We did update to 20.0.1 to fix the syslogd-configuration.xml re-ordering but the matches which worked before, no longer work.
Please see an example syslog message (Below and attached as image):
<14>Jul 18 14:31:51 HAL HAL_ASE[-]: Logstash is running ok 18/07/2017 14:31:51.25
Our syslog configuration is like so:
<?xml version="1.0"?>
<syslogd-configuration>
<configuration
syslog-port="10514"
new-suspect-on-message="false"
parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
forwarding-regexp="^.*\s(19|20)\d\d([-/.])(0[1-9]|1[012])\2(0[1-9]|[12][0-9]|3[01])(\s+)(\S+)(\s)(\S.+)"
matching-group-host="6"
matching-group-message="8"
discard-uei="DISCARD-MATCHING-MESSAGES"
/>
<import-file>syslog/Custom.syslog.xml</import-file>
<import-file>syslog/ApacheHTTPD.syslog.xml</import-file>
<import-file>syslog/LinuxKernel.syslog.xml</import-file>
<import-file>syslog/NetgearProsafeSmartSwitch.syslog.xml</import-file>
<import-file>syslog/OpenSSH.syslog.xml</import-file>
<import-file>syslog/OpenWrt.syslog.xml</import-file>
<import-file>syslog/Procmail.syslog.xml</import-file>
<import-file>syslog/Postfix.syslog.xml</import-file>
<import-file>syslog/Sudo.syslog.xml</import-file>
</syslogd-configuration>
File: syslog/Custom.syslog.xml
<syslogd-configuration-group>
<ueiList>
<ueiMatch>
<process-match expression="^HAL_ASE$" />
<match type="regex" expression="^((.+?) (.*))\r?\n?$"/>
<uei>mottmac.com/syslog/Logstash/informational</uei>
<severity>Info</severity>
</ueiMatch>
</ueiList>
</syslogd-configuration-group>
Any ideas why these would no longer match?
Thanks
Joe
We use a lot of syslog messages which we matching on process match, and Severity.
These configurations worked on v19 but not v20. We did update to 20.0.1 to fix the syslogd-configuration.xml re-ordering but the matches which worked before, no longer work.
Please see an example syslog message (Below and attached as image):
<14>Jul 18 14:31:51 HAL HAL_ASE[-]: Logstash is running ok 18/07/2017 14:31:51.25
Our syslog configuration is like so:
<?xml version="1.0"?>
<syslogd-configuration>
<configuration
syslog-port="10514"
new-suspect-on-message="false"
parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
forwarding-regexp="^.*\s(19|20)\d\d([-/.])(0[1-9]|1[012])\2(0[1-9]|[12][0-9]|3[01])(\s+)(\S+)(\s)(\S.+)"
matching-group-host="6"
matching-group-message="8"
discard-uei="DISCARD-MATCHING-MESSAGES"
/>
<import-file>syslog/Custom.syslog.xml</import-file>
<import-file>syslog/ApacheHTTPD.syslog.xml</import-file>
<import-file>syslog/LinuxKernel.syslog.xml</import-file>
<import-file>syslog/NetgearProsafeSmartSwitch.syslog.xml</import-file>
<import-file>syslog/OpenSSH.syslog.xml</import-file>
<import-file>syslog/OpenWrt.syslog.xml</import-file>
<import-file>syslog/Procmail.syslog.xml</import-file>
<import-file>syslog/Postfix.syslog.xml</import-file>
<import-file>syslog/Sudo.syslog.xml</import-file>
</syslogd-configuration>
File: syslog/Custom.syslog.xml
<syslogd-configuration-group>
<ueiList>
<ueiMatch>
<process-match expression="^HAL_ASE$" />
<match type="regex" expression="^((.+?) (.*))\r?\n?$"/>
<uei>mottmac.com/syslog/Logstash/informational</uei>
<severity>Info</severity>
</ueiMatch>
</ueiList>
</syslogd-configuration-group>
Any ideas why these would no longer match?
Thanks
Joe