[checkmk-commits] Check_MK Git: check_mk: FIX: Syslog server is now able to parse RFC 5424 syslog messages

Module: check_mk Branch: master Commit: e3e6ec1700f90d9b0777de2e5f6c56976e2db756 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e3e6ec1700f90d… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Mon Apr 8 09:36:23 2013 +0200 FIX: Syslog server is now able to parse RFC 5424 syslog messages --- ChangeLog | 4 ++- mkeventd/bin/mkeventd | 57 +++++++++++++++++++++++++++++++++--------------- 2 files changed, 42 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index 75cbff4..c5c5e3e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -94,7 +94,6 @@ Checks & Agents: * FIX: blade_bx_load: remove invalid WATO group - Notifications: * FIX: Removing GRAPH_CODE in html mails when not available * Using plugin argument 1 for path to pnp4nagios index php to render graphs @@ -107,6 +106,9 @@ * FIX: Fix several cases where WATO rule analyser did not hilite all matching rules * Added tcp port parameter to SSL certificate check (Thanks to Marcel Schulte) + Event Console: + * FIX: Syslog server is now able to parse RFC 5424 syslog messages + 1.2.2b7: Checks & Agents: * FIX: postfix_mailq: fix labels in WATO rule, set correct default levels diff --git a/mkeventd/bin/mkeventd b/mkeventd/bin/mkeventd index 5f6b6e8..5e3049c 100755 --- a/mkeventd/bin/mkeventd +++ b/mkeventd/bin/mkeventd @@ -1432,6 +1432,25 @@ class EventServer: if "set_contact" in rule and "contact" not in event: event["contact"] = replace_groups(rule["set_contact"], event.get("contact", ""), groups) + def parse_syslog_info(self, line): + event = {} + # Replaced ":" by ": " here to make tags with ":" possible. This + # is needed to process logs generated by windows agent logfiles + # like "c://test.log". + tag, message = line.split(": ", 1) + event["text"] = message.strip() + + if '[' in tag: + app, pid = tag.split('[', 1) + pid = pid.rstrip(']') + else: + app = tag + pid = 0 + + event["application"] = app + event["pid"] = pid + return event + def parse_monitoring_info(self, line): event = {} # line starts with '@' @@ -1460,7 +1479,7 @@ class EventServer: # Variant 1: plain syslog message without priority/facility: # May 26 13:45:01 Klapprechner CRON[8046]: message.... - # Variant 2: syslog message including facility (RFC 3360) + # Variant 2: syslog message including facility (RFC 3164) # <78>May 26 13:45:01 Klapprechner CRON[8046]: message.... # Variant 3: local Nagios alert posted by mkevent -n @@ -1469,7 +1488,14 @@ class EventServer: # Variant 4: remote Nagios alert posted by mkevent -n -> syslog # <154>Jul 9 17:28:32 Klapprechner @1341847712;5;Contact Info; MyHost My Service: CRIT - This che - # Variant 2,3,4 + # Variant 5: syslog message (RFC 5424) + # Timestamp is RFC3339 with additional restrictions: + # - The "T" and "Z" characters in this syntax MUST be upper case. + # - Usage of the "T" character is REQUIRED. + # - Leap seconds MUST NOT be used. + # <166>2013-04-05T13:49:31.685Z esx Vpxa: message.... + + # Variant 2,3,4,5 if line.startswith('<'): i = line.find('>') prio = int(line[1:i]) @@ -1486,6 +1512,15 @@ class EventServer: if line.startswith("@"): event.update(self.parse_monitoring_info(line)) + # Variant 5 + elif len(line) > 24 and line[10] == 'T': + # There is no 3339 parsing built into python. We do ignore subseconds and timezones + # here. This is seems to be ok for the moment - sorry. Please drop a note if you + # got a good solutuion for this. + rfc3339_part, event['host'], line = line.split(' ', 2) + event['time'] = time.mktime(time.strptime(rfc3339_part[:19], '%Y-%m-%dT%H:%M:%S')) + event.update(self.parse_syslog_info(line)) + # Variant 1,2,4 else: month_name, day, timeofday, host, rest = line.split(None, 4) @@ -1497,25 +1532,11 @@ class EventServer: # Variant 1, 2 else: - # Replaced ":" by ": " here to make tags with ":" possible. This - # is needed to process logs generated by windows agent logfiles - # like "c://test.log". - tag, message = rest.split(": ", 1) - event["text"] = message.strip() - - if '[' in tag: - app, pid = tag.split('[', 1) - pid = pid.rstrip(']') - else: - app = tag - pid = 0 - - event["application"] = app - event["pid"] = pid + event.update(self.parse_syslog_info(rest)) month = EventServer.month_names[month_name] day = int(day) - + # Nasty: the year is not contained in the message. We cannot simply # assume that the message if from the current year. lt = time.localtime()