sachinsharma

Syslog suppression

Discussion created by sachinsharma on Sep 28, 2010
Latest reply on Sep 29, 2010 by 3859

I have a prospect who is using sysloggtw in their environment to forward all syslog messages to. We're not using logmon to parse through the syslog messages because there's too many variations and the way they have it set up is nice in that the sysloggtw can already see the different severity levels of the syslog messages that come in.

 

Prospect is looking for a way to match a syslog message that contains some wording in the middle of the alarm message and only alarm once in an hour if that alarm keeps matching. Regular suppression from nas won't work because they don't care about the beginning of the alarm message.

 

For example, if this alarm comes in:

 

Sep 27 00:13:37 10.82.0.13 267461: *Aug 26 21:07:25.427 UTC: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/11 (not half duplex), with CACapPit8 GigabitEthernet0 (half duplex).

 

They don't care what comes before the % sign and after the : sign. So in the above message, if they match CDP-4-DUPLEX_MISMATCH, then there should be an alarm raised. But if they see that same message within the hour, ignorning what's in front of the % sign and after the : sign, they don't want to raise an alarm. Does anyone have any ideas on how to accomplish this? LUA script? Is this an outrageous request?

 

This is the regex they gave me for the matching, if it helps:

 

~ m/%(.*):/

 

Thanks,
Sachin

Outcomes