hazard1yard

Logmon Watcher Rules and variables

Discussion created by hazard1yard on Jul 12, 2011
Latest reply on Aug 1, 2011 by geir.haugom

Apologies for what is probably a very basic question but just starting to play around with this and regex for the first time.

 

I have set up sysloggtw and logmon to monitor cisco switches. I created a number of watcher rules that watch for various expressions and create an alarm on the match. As an example I have a match expression of *IF_DOWN_LINK_FAILURE* which will then send a port down message. 

 

The problem with the above i that it does not detail which port has gone down or even the IP address of where the alarm originated, so I would like to use some of the content of the original syslog message to add the IP address and also part of the message but struggling a little.

 

For example, I have a line in the sysloggtw output text file of,

 

Jul 11 22:56:541310439414INCOMING: critical 10.38.0.8 : 2011 Jul 08 12:31:00 EST: %PORT-2-IF_DOWN_LINK_FAILURE: %$VSAN 10%$ Interface fc1/24 is down (Link failure)

 

and I would like to have the IP address as part of the message and also from where it says "Interface" to end of line in the message.

 

I created a watcher rule with a match expression of *is down* and created two variables using source from and too using character positions and then created a message to send on match incorporating those variables but so far it does not seem to have worked.

 

I would appreciate any pointers as to where I am going wrong or a better way to do it please.

Thank you

Outcomes