I wrote this in order for the event.tcl process to filter on hostnames
within the text of the syslog messages. The script filters on process name
and pulls out the hostname from the first part of the text message. To use
this insert the following text in the event.tcl script from line 493. If
anyone has any questions or suggestions about it let me know.
John
## Process the event contained in line.
##
proc ev_convert { line } {
global sl_level sl_facility
# scan the administrative fields
if {[string match "-- MARK --" $line]} return
set n [scan $line "%s %d.%d %s %d %d:%d:%d %s" \
host facility level month day hour min sec proc]
if {$n != 9} {
set n [scan $line "%s %d %d:%d:%d %s %s" \
month day hour min sec host proc]
if {$n != 7} {
debug "** error parsing event message: $line"
return
}
set facility ""
set level ""
}
# extract the message
set i [string first $proc $line]
if {$i < 0} {
debug "** $line"
debug "** can not extract message after $proc"
}
incr i [string length $proc]
set message [string range $line $i end]
# extract the pid of the proc
set proc [string trim $proc "\]:"]
set pid [lindex [split $proc "\["] 1]
set proc [lindex [split $proc "\["] 0]
# convert the date to a gmt clock value
set date [format "%s %2d %2d:%2d:%2d" $month $day $hour $min $sec]
set clock [clock scan $date]
# map the facility and level numbers to a readable string
if {[info exists sl_level($level)]} {
set level $sl_level($level)
}
if {[info exists sl_facility($facility)]} {
set facility $sl_facility($facility)
}
if {$proc == "mon"} {
ev_monfilter $host $facility $level $clock $proc $pid $message
} else {
ev_filter $host $facility $level $clock $proc $pid $message
}
}
##
## Filter an incoming mon event against active filters and process
##
proc ev_monfilter { host facility level clock process pid message } {
global filter
# if {$process != "mon"} return
if {![info exists filter(ids)]} return
foreach id $filter(ids) {
if {$filter($id,status) != "active"} continue
if {$filter($id,match) == "includes"} {
set doit [expr {[regexp -nocase $filter($id,host) $host]
&& [regexp -nocase $filter($id,level) $level]
&& [regexp -nocase $filter($id,facility) $facility]
&& [regexp -nocase $filter($id,process) $process]
&& [regexp -nocase $filter($id,message) $message]} ]
if {! $doit} continue
} else {
set doit [expr {($filter($id,host) != ""
&& [regexp -nocase $filter($id,host) $host])
|| ($filter($id,level) != ""
&& [regexp -nocase $filter($id,level) $level])
|| ($filter($id,facility) != ""
&& [regexp -nocase $filter($id,facility) $facility])
|| ($filter($id,process) != ""
&& [regexp -nocase $filter($id,process) $process])
|| ($filter($id,message) != ""
&& [regexp -nocase $filter($id,message) $message])} ]
if {$doit} continue
}
# process message string
scan $message "%*s %s %*s %*s %s %*s %s" alert group server
# resolve host ip address
if {[catch {dns address $server} ip]} {
if {[catch {nslook $server} ip]} {
set ip ""
}
}
set ip [lindex $ip 0]
set date [clock format $clock]
# create a description line for the event
set descr "$date"
if {$facility != "" || $level != ""} {
append descr " ($facility.$level)"
}
# if {$filter($id,name) != ""} { append descr " ($filter($id,name))" }
append descr " $alert $group $server"
# if {$ip != ""} { append descr " \[$ip\]" }
# write the event message to display
if {$filter($id,report) == "global"} {
writeln "$descr"
} else {
if {$filter($id,window) != ""} {
if {[ined retrieve $filter($id,window)] == ""} {
set filter($id,window) ""
}
}
if {$filter($id,window) == ""} {
set filter($id,window) [ined create LOG]
ined -noupdate name $filter($id,window) "$filter($id,name)"
}
ined append $filter($id,window) "$descr"
}
if {$filter($id,highlight) == "true" && $ip != ""} {
flash add $ip
}
if {$filter($id,report) == "global"} {
writeln
} else {
ined append $filter($id,window) "\n"
}
}
}
-- !! This message is brought to you via the `tkined & scotty' mailing list. !! Please do not reply to this message to unsubscribe. To subscribe or !! unsubscribe, send a mail message to <tkined-request@ibr.cs.tu-bs.de>. !! See http://wwwsnmp.cs.utwente.nl/~schoenw/scotty/ for more information.
This archive was generated by hypermail 2b29 : Thu Jan 03 2002 - 14:56:26 MET