[INUG-Users] Weird syslogd probe issue

Darren Ward (darrward) darrward at cisco.com
Mon Feb 2 17:25:03 EST 2009 

Ok, scenario is that there are common explanations and troubleshooting
recommendations based on the syslog or snmp trap event received.

What I wanted to do was load the journal or trouble ticket with an
explanation of the log or trap and recommended next steps (or even call
an external procedure to get the troubleshooting info).

E.g.
Syslog sees a %VPDN-6-AUTHERR event which means that the LAC/LNS cannot
reach a authentication server. Obviously a VERY big deal for a service
provider so I want to change severity (that's simple) and insert that
explanation into the notes. 
Ideally it should run Remote Ping and RADIUS checks as well and enter
those into the notes so that the NOC has everything for them saving them
heaps of time for resolving issues.

If I can save the customer(s) 10 minutes of common troubleshooting per
event then that adds up to a large amount of hours per month/year.

Anyway, I'm thinking the probe can do the severity, assign to a
group/category.

The question is should I create an 'on insert' trigger to run a rather
complex script that checks the message info then enters the data into
the journal or should the help desk software do it (or should the
trigger push the info to the help desk ticket?)

Darren

-----Original Message-----
From: users-bounces at netcoolusers.org
[mailto:users-bounces at netcoolusers.org] On Behalf Of Don Wildman
Sent: Tuesday, 3 February 2009 7:44 AM
To: users at netcoolusers.org
Subject: Re: [INUG-Users] Weird syslogd probe issue

I confirmed that you cannot write a journal from the probe.  You can do
so from a trigger but need to take care of the potential impact on
performance depending on the frequency that you would do this. 

Your question does not specify what the business requirement is that you
are looking to solve with a journal entry so I cannot comment on what
the alternative solution might be.


Don Wildman
World Wide Product Manager ** Event Management ** +44 207 021 8144
 

users-bounces at netcoolusers.org wrote on 02/02/2009 19:19:31:

> [image removed] 
> 
> Re: [INUG-Users] Weird syslogd probe issue
> 
> Darren Ward (darrward) 
> 
> to:
> 
> users
> 
> 02/02/2009 19:21
> 
> Sent by:
> 
> users-bounces at netcoolusers.org
> 
> Please respond to users
> 
> So you'd see this requirement as being fulfilled in the help desk
> software instead based on passed information?
> 
> Darren 
> 
> -----Original Message-----
> From: users-bounces at netcoolusers.org
> [mailto:users-bounces at netcoolusers.org] On Behalf Of Don Wildman
> Sent: Monday, 2 February 2009 8:28 PM
> To: users at netcoolusers.org
> Subject: Re: [INUG-Users] Weird syslogd probe issue
> 
> No it is not possible. You will need to investigate use of a trigger
for
> journal population.  I would suggest that you use event fields for
probe
> data, updating a journal based on insert/reinsert is likely to have a
> severe impact on event throughput.  Journals are designed more for
audit
> of Operator and Tool action.
> 
> -hth-
> Don Wildman
> World Wide Product Manager ** Event Management ** +44 207 021 8144
> 
> 
> users-bounces at netcoolusers.org wrote on 02/02/2009 02:03:36:
> 
> > [image removed] 
> > 
> > Re: [INUG-Users] Weird syslogd probe issue
> > 
> > Darren Ward (darrward) 
> > 
> > to:
> > 
> > users
> > 
> > 02/02/2009 02:05
> > 
> > Sent by:
> > 
> > users-bounces at netcoolusers.org
> > 
> > Please respond to users
> > 
> > I actually managed to sort this out but have another problem where I
> > want to populate the Journal from the probe.
> > 
> > Is this possible?
> > 
> > After I get the journal addition working then I'll post my
> syslogd.rules
> > file for all to see.
> > 
> > Darren 
> > 
> > -----Original Message-----
> > From: users-bounces at netcoolusers.org
> > [mailto:users-bounces at netcoolusers.org] On Behalf Of Kristian Appiah
> > Endresen
> > Sent: Monday, 2 February 2009 5:50 AM
> > To: users at netcoolusers.org
> > Subject: Re: [INUG-Users] Weird syslogd probe issue
> > 
> > Dont use the syslog probe and am not familiar with Cisco device
> > management, but the following line:
> > 
> > >else if(regmatch($Token5, "^%"))
> > 
> > looks like it should be
> > 
> > else if(regmatch($Token5, "^%.*"))
> > 
> > to match your input.  Otherwise it should only match the exact
string
> > "%" followed by nothing else.  I think the nmatch function checks to
> see
> > if the first characters match, but havent used this in a long
time...
> > check the documentation, it might be that
> > 
> > else if(nmatch($Token5, "%"))
> > 
> > would also work (and possibly faster)
> > 
> > Dont really understand what you mean by "node appears as the
> > timestamp"....
> > 
> > Kristian
> > 
> > 
> > 
> > > Date: Sat, 31 Jan 2009 08:37:30 +0800
> > > From: "Darren Ward (darrward)" <darrward at cisco.com>
> > > Subject: [INUG-Users] Weird syslogd probe issue
> > > To: <users at netcoolusers.org>
> > > Message-ID:
> > >
> >
<619049E87C9243449FEA17D003C77E8E04B990C8 at xmb-hkg-418.apac.cisco.com>
> > > Content-Type: text/plain;       charset="us-ascii"
> > >
> > >
> > > Hi Guys,
> > >
> > > Here's one that has me a bit stumped....
> > >
> > > I've taken a raw capture from syslogd to see why the Agent for the

> > > logging is not showing up as Cisco and get the following raw info,

> > > note
> > > Token5 has the line that starts with the % which is specific to
> Cisco 
> > > and what syslogd uses to determine the syslog came from a Cisco
> > device.
> > >
> > > RemoteHostInfo = "(203.193.198.3) 203.193.198.3 54974"
> > > ArrivalTime = "Jan 31 00:25:37"
> > > Time = "1233321941"
> > > Raw = "4603836: Jan 31 00:25:36: %VPDN-6-CLOSED: L2TP LNS 
> > > lns.bct.com.au closed Vi2.182 user Launkitchen1 at iice.net.au;
Result
> 2,
> > 
> > > Error 6, Locally generated disconnect"
> > > EventCount = "1"
> > > Token1 = "4603836:"
> > > Token2 = "Jan"
> > > Token3 = "31"
> > > Token4 = "00:25:36:"
> > > Token5 = "%VPDN-6-CLOSED:"
> > > Token6 = "L2TP"
> > > Token7 = "LNS"
> > > Token8 = "lns.bct.com.au"
> > > Token9 = "closed"
> > > Priority = "190"
> > > Severity = "6"
> > > Details = "L2TP LNS lns.bct.com.au closed Vi2.182 user 
> > > Launkitchen1 at iice.net.au; Result 2 Error 6 Locally generated
> > disconnect"
> > > Token10 = "Vi2.182"
> > > Token11 = "user"
> > > Token12 = "Launkitchen1 at iice.net.au;"
> > > Token13 = "Result"
> > > Token14 = "2"
> > > Token15 = "Error"
> > > Token16 = "6"
> > > Token17 = "Locally"
> > > Token18 = "generated"
> > > Token19 = "disconnect"
> > >
> > > Now in the default syslogd.rules Cisco matches % in Token6 or
> Token9, 
> > > it can match Token5 but only if it's numberical as per the
following
> > rules:
> > >
> > >  else if(regmatch($Token5, "[0-9]+:") AND regmatch($Token6,
> > > ".*-.*-.*:"))
> > >  {
> > >  $agent = "Cisco"
> > >  @AlertKey = extract($Token5, "(.*):")  }  else
if(regmatch($Token6,
> 
> > > "^%"))  {  $agent = "CiscoIP"
> > >  }
> > >  else if(regmatch($Token9, "^%"))
> > >  {
> > >  $agent = "Cisco"
> > >  }
> > >  else
> > >  {
> > >  $agent = $Token5
> > >  }
> > >
> > > So along that thinking since Token5 contains the % sign starting
the
> 
> > > line I should just add in the middle the following and all should
be
> > > good:
> > >
> > >  else if(regmatch($Token5, "^%"))
> > >  {
> > >  $agent = "Cisco"
> > >  }
> > >
> > > No such luck :(
> > >
> > > It still falls through to the final else statement and takes the
> first
> > 
> > > word as the Agent which of course then matches nothing in the
action
> 
> > > section of the rules file to allow us to discard the entries.
> > >
> > > So as an example for the raw file above the fallthrough default
> Agent 
> > > = VPDN (note not %VPDN... could be significant?)
> > >
> > > The last thing is that the node appears as the timestamp like the 
> > > offset is wrong or something.... that's in the AEL that is.
> > >
> > > Darren
> > 
> > _______________________________________________
> > Sent by the netcoolusers.org "users" mailing list
> > Post: users at netcoolusers.org
> > Unsubscribe: users-unsubscribe at netcoolusers.org
> > Search: http://netcoolusers.org/Search
> > 
> > _______________________________________________
> > Sent by the netcoolusers.org "users" mailing list
> > Post: users at netcoolusers.org
> > Unsubscribe: users-unsubscribe at netcoolusers.org
> > Search: http://netcoolusers.org/Search
> 
> 
> 
> 
> 
> 
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with
number
> 
> 741598. 
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
> 3AU
> 
> 
> 
> 
> 
> _______________________________________________
> Sent by the netcoolusers.org "users" mailing list
> Post: users at netcoolusers.org
> Unsubscribe: users-unsubscribe at netcoolusers.org
> Search: http://netcoolusers.org/Search
> 
> _______________________________________________
> Sent by the netcoolusers.org "users" mailing list
> Post: users at netcoolusers.org
> Unsubscribe: users-unsubscribe at netcoolusers.org
> Search: http://netcoolusers.org/Search






Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number

741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
3AU





_______________________________________________
Sent by the netcoolusers.org "users" mailing list
Post: users at netcoolusers.org
Unsubscribe: users-unsubscribe at netcoolusers.org
Search: http://netcoolusers.org/Search

More information about the Users mailing list