Apologies for what is probably a very basic question but just starting to play around with this and regex for the first time.
I have set up sysloggtw and logmon to monitor cisco switches. I created a number of watcher rules that watch for various expressions and create an alarm on the match. As an example I have a match expression of *IF_DOWN_LINK_FAILURE* which will then send a port down message.
The problem with the above i that it does not detail which port has gone down or even the IP address of where the alarm originated, so I would like to use some of the content of the original syslog message to add the IP address and also part of the message but struggling a little.
For example, I have a line in the sysloggtw output text file of,
Jul 11 22:56:541310439414INCOMING: critical 10.38.0.8 : 2011 Jul 08 12:31:00 EST: %PORT-2-IF_DOWN_LINK_FAILURE: %$VSAN 10%$ Interface fc1/24 is down (Link failure)
and I would like to have the IP address as part of the message and also from where it says "Interface" to end of line in the message.
I created a watcher rule with a match expression of *is down* and created two variables using source from and too using character positions and then created a message to send on match incorporating those variables but so far it does not seem to have worked.
I would appreciate any pointers as to where I am going wrong or a better way to do it please.