4 Replies Latest reply on Oct 30, 2012 9:54 AM by mr.e

    Using Regex to write to Event Log

    mr.e

      I am very new to Regex and PowerShell.  However, I am trying to figure out how to extract the MessageType from the syslog message and write it to the to the SolarWinds.Net log.  Unfortunately, I am not having luck, as nothing is writing to the SolarWinds.Net log.  Have any of you attempted to do something like this before?  If so, I would like to hear from you.  Thanks!!!

        • Re: Using Regex to write to Event Log
          michal.hrncirik

          hi,

           

          could you please post back what exactly you tried (your current regex & powershell expression)?

           

          thanks,

          Michal

            • Re: Using Regex to write to Event Log
              mr.e

              Michal,

               

              A former teammate wrote the PS script shown below, which is the one I am working from.  As you will see, it writes the contents of the hostname and the syslog message onto the SolarWinds.net log while removing the date and machine type. The PS script is fully functional, since we've already checked it out. However, I am trying to tweak it so that it will ONLY write the hostname and the machine type. I know that the start of the Machine Type section begins with a % sign and ends with a : sign.  I know I am missing something since none of the tweaks I've made have worked.

               

              ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

              # This script creates an event in the SolarWinds log when a syslog message condition triggers the action running this script.

              # The command executed by the alert trigger is:

              # C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe e:\scripts\createsyslogevent.ps1 '${Hostname}' '${Message}'

              param

              (

                [string] $hostname = $(throw "No Hostname supplied"),

                  [string] $message = $(throw "No Message supplied")

              )

              $regex = [regex] '(^.+ %.+?: )' #THis regex assumes MessageType present in $message

              $out = $regex.split($message)

              if ($out.length -eq '3')

              {

              write-host "Has MessageType"

              write-host $out[2]

              $description = $hostname + ": " + $out[2]

              write-eventlog -logname SolarWinds.Net -EntryType Error -source AlertingEngine -eventID 6888 -message "$description"

              exit

              }

              $regex1 = [regex] '(^[A-Z][a-z][a-z] \d{1,2} \d\d:\d\d:\d\d 201[1-3] )' #This regex assumes no MessageType, Message starts with date/time and year--we need to test for this pattern first

              $out1 = $regex1.split($message)

              if ($out1.length -eq '3')

              {

              write-host "No MessageType, has year in timestamp"

              write-host $out1[2]

              $description = $hostname + ": " + $out1[2]

              write-eventlog -logname SolarWinds.Net -EntryType Error -source AlertingEngine -eventID 6888 -message "$description"

              exit

              }

              $regex2 = [regex] '(^[A-Z][a-z][a-z] \d{1,2} \d\d:\d\d:\d\d )' #This regex assumes no MessageType, Message starts with date/time and there's no year

              $out2 = $regex2.split($message)

              if ($out2.length -eq '3')

              {

              write-host "No MessageType, no year in timestamp"

              write-host $out2[2]

              $description = $hostname + ": " + $out2[2]

              write-eventlog -logname SolarWinds.Net -EntryType Error -source AlertingEngine -eventID 6888 -message "$description"

              exit

              #$message = [regex]::Replace($message, '(^.+%.+?: )', "");

                • Re: Using Regex to write to Event Log
                  mr.e

                  Michal,

                   

                  After my posting, I tweaked a bit more with the PS script and made a bit of progress.  Basically, I modified the PS script the Has MessageType section as follows:

                  ______________________________________________________________________________________

                  write-host "Has MessageType"

                  write-host $out[1]          <---  I replaced the 2 with a 1 here

                  $description = $hostname + ": " + $out[1]   <---  I replaced the 2 with a 1 here

                  write-eventlog -logname SolarWinds.Net -EntryType Error -source AlertingEngine -eventID 6888 -message "$description"

                  exit

                  ____________________________________________________________________________________

                  The change shown above removed the text that follows the Message Type section.  However, it did not remove the alphanumeric characters that precede the % sign.  So, while this is an improvement, I cannot use this alert just yet. Removing the alphanumeric characters that precede the % sign would allow us to better tell which alerts are duplicate ones for the specific hostname.  Does this make sense to you?

                   

                  Thanks again..

                  usatlsw1001: 176600: Oct 30 18:05:18 IST: %SCHED-3-STUCKMTMR:

                  1 of 1 people found this helpful
                • Re: Using Regex to write to Event Log
                  mr.e

                  Michal,

                   

                  Please, disregard this thread.  The Orion Syslog Engine already has an option that writes the info I wanted to the Application log.  There are some other details, but I can work on those with my teammates.  Thanks again.