Check_MK Werk 7085: Fixed parsing of special syslog messages which don't contain a host name

ID: 7085 Title: Fixed parsing of special syslog messages which don't contain a host name Component: Event Console Level: 1 Class: Bug fix Version: 1.6.0i1 The Event Console is now able to process syslog messages that don't contain the host name field. An example for such a message is this one: C+: Feb 13 08:41:07 pfsp: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41:02 CET</tt> C-: In previous versions messages like this resulted in log messages like this in the event console log (var/log/mkeventd.log): C+: 2019-02-13 09:41:07,338 [40] [cmk.mkeventd.EventServer] Got non-syslog message "Feb 13 08:41:07 pfsp: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41:02 CET" (need more than 1 value to unpack) Traceback (most recent call last): File "/omd/sites/ggmcmpp1/lib/python/cmk/ec/main.py", line 2916, in create_event_from_line event.update(self.parse_syslog_info(rest)) File "/omd/sites/ggmcmpp1/lib/python/cmk/ec/main.py", line 2667, in parse_syslog_info tag, message = line.split(": ", 1) ValueError: need more than 1 value to unpack 2019-02-13 09:41:07,338 [20] [cmk.mkeventd.EventServer] Parsed message: application: core_host: facility: 1 host: host_in_downtime: False ipaddress: 1.23.45.67 pid: 0 priority: 0 text: Feb 13 08:41:07 pfsp: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41 :02 CET time: 1550047267.34 C-: A fallback event was created that had no syslog fields set and contained the whole unparsed syslog message in the text field. If you have EC rules matching on this fallback event, you will have to change these rules to match the parsed event fields. Now that the parsing has been added, events created by such a syslog message now have the fields set as follows for our example: C+: application: pfsp core_host: facility: 1 host: 127.0.0.1 host_in_downtime: False ipaddress: 127.0.0.1' pid: 0 priority: 5 text: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41:02 CET time: 1550043667.0 C-: Please note that the EC uses the sender IP addresse of the syslog message to populate the host field.