Syslog collector is a Python application that collects log messages generated by various devices and applications within a network. This protocol is widely used in network management and monitoring to track and troubleshoot system events.
- Query mode: In this mode, the Syslog collector establishes an SSH connection to the network agent or syslog server to tail the logs. Each incoming log is dynamically processed and published as an event in the VMware Telco Cloud Service Assurance.
- Listen mode: In this mode, the Syslog collector starts a UDP server with a NodePort exposed to collect Syslog messages from multiple devices within a network. Each device pushes the Syslog messages to the configured logging server (Syslog collector) through the exposed VMware Telco Cloud Service Assurance NodePort.
Timestamp: %Facility-Severity-Mnemonic: Message Text
Feb 14 12:02:38: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
Regular Expressions (regex)
A regular expression (commonly referred to as regex) is a sequence of characters that specifies a search pattern in text.
| Regex | Attributes | Description |
|---|---|---|
| .*%(.*?)-.* | Class Name | For the above example Syslog message, the provided Regex extracts the value - LINK |
| $set_on_match(".*", AVAILABILITY) | Category | For the above example Syslog message, the provided Regex extracts the value - AVAILABILITY |
| .*-(\w+):.* | Event Name, Event Text | For the above example Syslog message, the provided Regex extracts the value - CHANGED. |
| .*:\s*([^,]+) | Instance Name | For the above example Syslog message, the provided Regex extracts the value - Interface FastEthernet0/1. |
| .*-(\d+)-.* | Severity | For the above example Syslog message, the provided Regex extracts the value - 5 (which translates to Normal as per the standards). |
| $set_on_match(".*:\s*(.*\bup\b.*)$","INACTIVE",".*:\s*(.*\benabled\b.*)$","INACTIVE",".*-(UPLINK):.*","INACTIVE",".*:\s*(.*Failed.*)$","ACTIVE") | EventState | Each condition is treated as an argument and checked against incoming syslog messages until a match is found. If no messages match, the default value is used for the EventState. The method $set_on_match can be used to set the EventState to INACTIVE based on specific conditions that can be leveraged to clear the Events. Syntax: $set_on_match("regex1", "value1", "regex2", "value2",,,,,) For example: ".*:\s*(.*\bup\b.*)$" checks if the syslog message has string up, if it matches sets value INACTIVE as specified. ".*:\s*(.*Failed.*)$" checks if the syslog message has string Failed, if it matches then sets the value ACTIVE as specified. |
| $transform_date("DD-MM-YYYYTHH:mm:SS.FZ") | Timestamp | The method, $transform_date("input_date_format"), is used to extract the timestamp present in the syslog message and convert it into epoch time.Example Syslog: 2024-06-13T10:32:50.52Z %VIRTIO-3-INIT_FAIL: Failed to initialize device, PCI 0/6/0/1002 , device is disabled, not supported Here is how you can add the regex and input date format to the Timestamp field of the Syslog collector: As per RFC 5424, VMware Telco Cloud Service Assurance supports timestamps in the default format
This function extracts the timestamp
Sample Date Input formats:
|
The regular expression can also include regex to extract the field and filter the value simultaneously from ClassName, EventName and InstanceName.
For example:
