1 Reply Latest reply on Jul 25, 2019 12:45 PM by kstone

    Syslog with Logic?


      I'm hoping one of the SolarWinds products can do what I'm looking for.  I need something that can parse daily log file (.log) and look for the following lines:

      08:49:15.416 ( 7528:11056) U-PE: 20000018 Hook:  1(OffHook)

      09:26:41.618 ( 7528: 7820) U-PE: 2000017A State: 12(Established)

      13:22:02.283 ( 7528:11056) U-PE: 20000156 Hook:  0(OnHook)


      The first part is just standard time style formating.
      The second part is always 5 numbers or 4 with a leading space, a colon, and 5 more numbers or 4 with a leading space.
      The U-PE: is the event and the 8 alphanumeric ID that comes after that is uniquely bound to a user.  So, for the example above, that is actually the events from three different users.

      What I hope can be done, is find every time there is a U-PE: OffHook event that does NOT have an Established U-PE: before the U-PE OnHook event, and report the time between the OffHook and OnHook event.

      As for the 8 character User ID, there are about two or three hundred, but they are all unique.

        • Re: Syslog with Logic?

          I can't speak to other Solarwinds tools but Kiwi syslog cannot do this with the built in actions and filters only. However, you could do this in Kiwi with some scripting added to the mix to do this in real time.  Otherwise writing them all to a log then parsing the log with the tool of your choice on a schedule(daily, hourly) could be done. That just depends on your reporting and alerting needs.


          We do something similar for backup tape drive status that needs information from 2 separate device logs to match the detail.


          Event comes in with 'U-PE', this is matched with a filter, then there is an action that runs a script.


          The script would do several things.


          First would be to parse the message into fields and look for the OnHook event in the message.  Two split actions would be needed, one using ':' as the delimiter, then a ' ' to split the item with the user ID.  If it is an onhook event you could manage state for those two ways.  Write it to a data dictionary(in memory array) or write to a file. 


          My preference is a file since they are maintained in the event of the Kiwi service restarting or a server reboot.  Each UserID would get a separate file(for example "20000156-onhook.txt").


          When an 'Established' event occurs, the script will catch that and another file would be written("20000156-established.txt").


          When the 'OffHook' event occurs, the script will catch that then read the directory for the OnHook and Established files, gets the file creation times and does the calculations.  If the 'Established' file doesn't existing it generates some additional action(s) like email, writes to a log, etc. Then the files are deleted.


          Variations of this could be to have a rule that matches each event state(OnHook, Established, OffHook) and has a script that does each portion of the steps above.  It's more rules but more simple scripts.  You could also add the timestamp to the filename.  This would make getting the file creation time unnecessary and only need to read the filename.