Do Log Analyser Custom Rules for Syslog support capture groups?

I want to capture alerts for SDWAN Syslog for state changes, but I want one alert per peer, rather than one over-arching alert. E.g. the syslog below.

1 2024-03-21T15:21:01+00:00 vsmart1 OMPD 2975 - [meta sequenceId="10218"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.101 peer-new-state:down
1 2024-03-21T15:20:21+00:00 vsmart1 OMPD 2988 - [meta sequenceId="197597"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.199 peer-new-state:up

I want to use a capture group to grab the IP address odf the peer. x.x.x.199 and x.x.x.101 so I can have an alert for each of them. The regex is easy enough: peer:(.*)\speer-new-state:down will capture the IP address.

But does SolarWinds retain the data in capture groups in a way that I can use it in an alert definition?

  • Hello BaldFeegle,

    I spotted this post in a quiet moment, and it got me thinking. I think you are correct that the groups are ignored in the native regex capabilities, but then we do have PowerShell to fall back on.

    $data = @( '1 2024-03-21T15:21:01+00:00 vsmart1 OMPD 2975 - [meta sequenceId="10218"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.101 peer-new-state:down',
               '1 2024-03-21T15:20:21+00:00 vsmart1 OMPD 2988 - [meta sequenceId="197597"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.199 peer-new-state:up'  )
    $regex = 'peer:(.*)\speer-new-state:down'
    
    
    ForEach ($item in $data)
            { 
              $test = $item -match $regex
              if ($test)
                  { Write-Host $Matches[1] }
            }

    The "-match" creates a automatic variable called $matches and in this case the IP is in group [1] of that variable.

    I hope that if you've haven't worked this out yourself, that this helps.

    Yaquaholic  

  • In the end we decided we didn't want an alert per peer, but rather an alert when we got 50 events ending "peer-new-state:down" in ten mins because that indicates a major SDWAN problem.

    The powershell script makes sense. Off the top of my head though I don't know how I'd use that powershell to pull the appropriate syslog events out of the DB to trigger on. Something to think about.