[tkined] Event syslog monitoring extension.

From: John Karsten (john.karsten@home.com)
Date: Sun May 13 2001 - 05:37:44 MET DST


I wrote this in order for the event.tcl process to filter on hostnames
within the text of the syslog messages. The script filters on process name
and pulls out the hostname from the first part of the text message. To use
this insert the following text in the event.tcl script from line 493. If
anyone has any questions or suggestions about it let me know.

John

## Process the event contained in line.
##

proc ev_convert { line } {

    global sl_level sl_facility

    # scan the administrative fields

    if {[string match "-- MARK --" $line]} return

    set n [scan $line "%s %d.%d %s %d %d:%d:%d %s" \
           host facility level month day hour min sec proc]
    if {$n != 9} {

        set n [scan $line "%s %d %d:%d:%d %s %s" \
               month day hour min sec host proc]
        if {$n != 7} {
            debug "** error parsing event message: $line"
            return
        }
        set facility ""
        set level ""
    }

    # extract the message

    set i [string first $proc $line]
    if {$i < 0} {
        debug "** $line"
        debug "** can not extract message after $proc"
    }
    incr i [string length $proc]
    set message [string range $line $i end]

    # extract the pid of the proc

    set proc [string trim $proc "\]:"]
    set pid [lindex [split $proc "\["] 1]
    set proc [lindex [split $proc "\["] 0]

    # convert the date to a gmt clock value

    set date [format "%s %2d %2d:%2d:%2d" $month $day $hour $min $sec]
    set clock [clock scan $date]

    # map the facility and level numbers to a readable string

    if {[info exists sl_level($level)]} {
        set level $sl_level($level)
    }

    if {[info exists sl_facility($facility)]} {
        set facility $sl_facility($facility)
    }

    if {$proc == "mon"} {
    ev_monfilter $host $facility $level $clock $proc $pid $message
    } else {
    ev_filter $host $facility $level $clock $proc $pid $message
    }
}

##
## Filter an incoming mon event against active filters and process
##

proc ev_monfilter { host facility level clock process pid message } {

    global filter

# if {$process != "mon"} return

    if {![info exists filter(ids)]} return

    foreach id $filter(ids) {

        if {$filter($id,status) != "active"} continue

        if {$filter($id,match) == "includes"} {
            set doit [expr {[regexp -nocase $filter($id,host) $host]
                && [regexp -nocase $filter($id,level) $level]
                && [regexp -nocase $filter($id,facility) $facility]
                && [regexp -nocase $filter($id,process) $process]
                && [regexp -nocase $filter($id,message) $message]} ]
            if {! $doit} continue
        } else {
            set doit [expr {($filter($id,host) != ""
                         && [regexp -nocase $filter($id,host) $host])
                     || ($filter($id,level) != ""
                         && [regexp -nocase $filter($id,level) $level])
                     || ($filter($id,facility) != ""
                         && [regexp -nocase $filter($id,facility) $facility])
                     || ($filter($id,process) != ""
                         && [regexp -nocase $filter($id,process) $process])
                     || ($filter($id,message) != ""
                         && [regexp -nocase $filter($id,message) $message])} ]
            if {$doit} continue
        }

# process message string

        scan $message "%*s %s %*s %*s %s %*s %s" alert group server

# resolve host ip address

        if {[catch {dns address $server} ip]} {
            if {[catch {nslook $server} ip]} {
                set ip ""
            }
        }
        set ip [lindex $ip 0]
        set date [clock format $clock]

# create a description line for the event

        set descr "$date"
        if {$facility != "" || $level != ""} {
            append descr " ($facility.$level)"
        }
# if {$filter($id,name) != ""} { append descr " ($filter($id,name))" }
        append descr " $alert $group $server"
# if {$ip != ""} { append descr " \[$ip\]" }

# write the event message to display

        if {$filter($id,report) == "global"} {
            writeln "$descr"
        } else {
            if {$filter($id,window) != ""} {
                if {[ined retrieve $filter($id,window)] == ""} {
                    set filter($id,window) ""
                }
            }
            if {$filter($id,window) == ""} {
                set filter($id,window) [ined create LOG]
                ined -noupdate name $filter($id,window) "$filter($id,name)"
            }
            ined append $filter($id,window) "$descr"
        }

        if {$filter($id,highlight) == "true" && $ip != ""} {
            flash add $ip
        }

        if {$filter($id,report) == "global"} {
            writeln
        } else {
            ined append $filter($id,window) "\n"
        }

    }
}

--
!! This message is brought to you via the `tkined & scotty' mailing list.
!! Please do not reply to this message to unsubscribe. To subscribe or
!! unsubscribe, send a mail message to <tkined-request@ibr.cs.tu-bs.de>.
!! See http://wwwsnmp.cs.utwente.nl/~schoenw/scotty/ for more information.



This archive was generated by hypermail 2b29 : Thu Jan 03 2002 - 14:56:26 MET