• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 1103 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Do Log Analyser Custom Rules for Syslog support capture groups?

BaldFeegle

I want to capture alerts for SDWAN Syslog for state changes, but I want one alert per peer, rather than one over-arching alert. E.g. the syslog below.

1 2024-03-21T15:21:01+00:00 vsmart1 OMPD 2975 - [meta sequenceId="10218"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.101 peer-new-state:down
1 2024-03-21T15:20:21+00:00 vsmart1 OMPD 2988 - [meta sequenceId="197597"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.199 peer-new-state:up

I want to use a capture group to grab the IP address odf the peer. x.x.x.199 and x.x.x.101 so I can have an alert for each of them. The regex is easy enough: peer:(.*)\speer-new-state:down will capture the IP address.

But does SolarWinds retain the data in capture groups in a way that I can use it in an alert definition?

  • 0

    Hello BaldFeegle,

    I spotted this post in a quiet moment, and it got me thinking. I think you are correct that the groups are ignored in the native regex capabilities, but then we do have PowerShell to fall back on.

    $data = @( '1 2024-03-21T15:21:01+00:00 vsmart1 OMPD 2975 - [meta sequenceId="10218"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.101 peer-new-state:down',
           '1 2024-03-21T15:20:21+00:00 vsmart1 OMPD 2988 - [meta sequenceId="197597"] %Viptela-vsmart1-ompd-5-NTCE-1400002: Notification: omp-peer-state-change severity-level:major host-name:"vsmart1" system-ip:n.n.n.n tenant-name:"" peer:x.x.x.199 peer-new-state:up'  )
$regex = 'peer:(.*)\speer-new-state:down'


ForEach ($item in $data)
        { 
          $test = $item -match $regex
          if ($test)
              { Write-Host $Matches[1] }
        }

    The "-match" creates a automatic variable called $matches and in this case the IP is in group [1] of that variable.

    I hope that if you've haven't worked this out yourself, that this helps.

    Yaquaholic  

  • 0 in reply to yaquaholic

    In the end we decided we didn't want an alert per peer, but rather an alert when we got 50 events ending "peer-new-state:down" in ten mins because that indicates a major SDWAN problem.

    The powershell script makes sense. Off the top of my head though I don't know how I'd use that powershell to pull the appropriate syslog events out of the DB to trigger on. Something to think about.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 200,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab Link Customer Portal
About THWACK SolarWinds Blog Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2021 SolarWinds Worldwide, LLC. All Rights Reserved.