Configure syslog match

The <syslog-match> section of the oobc.properties.xml file contains the elements that describe how the OutOfBandChange daemon should parse the syslog file.

XML Syntax

The following example shows the XML code for the <syslog-match> element:

<syslog-match>
<!-- Matches Sthe most common log messages like
Apr 17 06:46:24 test_2-1 12980: Apr 17 02:46:23.318 EDT: %SYS-5-CONFIG_I: 
	Configured from console by unknown on vty0 (10.0.0.1) -->
<log-pattern actionName="ConfigSyncIn" uowPriority="LOW" notifyName="
FileNotifier">
<pattern>([A-S][a-u][by]\
s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+\[?([\.A-Za-z0-9_-
]+)\]?[\.\S+]*\s+.*?SYS-5-CONFIG_I:\s(Configured\
sfrom.*by\s(.*)\s+on\s(.*$))</pattern>
<timeStampIndex>1</timeStampIndex>
<dnsNameIndex>2</dnsNameIndex>
<userIdIndex>4</userIdIndex>
<descriptionIndex>3</descriptionIndex>
<sourceHostIndex>5</sourceHostIndex>
</log-pattern>
<!-- this pattern matches the most common log messages like
Apr 17 11:53:24 test_3-2 12984: Apr 17 07:52:23.318 EDT:
%SYS-5-CONFIG_I: Configured from console by vty0 (10.0.0.1)
-->
<log-pattern actionName="ConfigSyncIn" uowPriority="LOW" notifyName="
FileNotifier">
<pattern>([A-S][a-u][by]\
s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+\[?([\.A-Za-z0-9_-
]+)\]?[\.\S+]*\s+.*?SYS-5-CONFIG_I:\s(Configured\
sfrom.*by\s(.*)\s+on\s(.*$))</pattern>
<timeStampIndex>1</timeStampIndex>
<dnsNameIndex>2</dnsNameIndex>
<userIdIndex>4</userIdIndex>
<descriptionIndex>3</descriptionIndex>
<sourceHostIndex>5</sourceHostIndex>
</log-pattern>
<log-pattern actionName="Import" uowPriority="HIGH" notifyName="
FileNotifier">
<pattern>([A-S][a-u][by]\
s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+\[?([\.A-Za-z0-9_-
]+)\]?[\.\S+]*\s+.*?SYS-5-SUMTHIN_ELSE:\s(Configured\
sfrom.*by\s(.*)\s+on\s(.*$))</pattern>
<timeStampIndex>1</timeStampIndex>
<dnsNameIndex>2</dnsNameIndex>
<userIdIndex>4</userIdIndex>
<descriptionIndex>3</descriptionIndex>
<sourceHostIndex>5</sourceHostIndex>
</log-pattern>
<log-pattern actionName="Reload" uowPriority="MEDIUM" notifyName="
FileNotifier">
<pattern>([A-S][a-u][by]\
s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+\[?([\.A-Za-z0-9_-
]+)\]?[\.\S+]*\s+.*?SYS-5-RELOAD:\s(Reload\srequested\
sby\s(.*)\s+on\s(.*$))</pattern>
<timeStampIndex>1</timeStampIndex>
<dnsNameIndex>2</dnsNameIndex>
<userIdIndex>4</userIdIndex>
<descriptionIndex>3</descriptionIndex>
<sourceHostIndex>5</sourceHostIndex>
</log-pattern>
</syslog-match>

Description

The <syslog-match> section of the oobc.properties.xml file gives fine control over what syslog entries are considered an 'Out-Of-Band' change as well as what 'actions' and 'notifications' must occur because of the 'Out-Of-Band' change. There is only one <syslog-match> element but it will typically contain multiple <log-pattern> elements for each of the various types of entries found in a typical syslog file.

The following table describes the XML elements specified within the <syslog-match> section of the oobc.properties.xml file:

Table 1. The syslog-match XML elements in the oobc.properties.xml file
XML element Description

<syslog-match>

This is an outer wrapper element that contains one or more <log-pattern> elements.

<log-pattern>

A log-pattern describes what pattern must be matched within the syslog file before it is considered an 'Out-Of-Band' change event. This element has two attributes which reference other elements in this document by name. It contains one attribute called actionName which is a reference to an action that must be performed.

The second attribute called notifyName is a reference to a notification that must occur if a match is made in the syslog file. For details on these references see Configure Actions and Configure Notifiers.

The third attribute called uowPriority indicates the priority that the unitOfWork will be submitted with. This attribute is optional. Possible values are (not case sensitive) 'LOW', 'MEDIUM' and 'HIGH'. If this property is not specified or an incorrect value is specified then a default of MEDIUM will be used. Since multiple 'Out-Of-Band' changes get rolled up into a single 'rollup event' and different events within the 'rolledup event' have different UOW priorities associated with them, the highest UOWPriority will be selected. Refer to the example above: if there are two log messages for the same device that match two of the log patterns (in this case a log pattern match for the Import action and one for the Config- SyncIn action) - the UOWPriority of the action that is chosen will be HIGH. So, depending on the priority flag setting in the action you may get a configuration sync UOW submitted with a high priority.

<pattern>

The pattern contains a Perl 5 regular expression syntax describing what pattern of text to match within the syslog file. If this pattern matches an entry in the syslog file, then the syslog entry is parsed even further and the appropriate 'action' and 'notification' will occur. If no match then this syslog entry is ignored.

<timeStampIndex>

The index of the sub-expression within the 'pattern' that contains the time stamp.

Also used by the ParserThread as the number of seconds to sleep when there is no other data to read from the syslog file. After sleeping the specified number of seconds it will check its keepRunning flag to determined if it should continue on or exit.

<dnsNameIndex>

The index of the sub-expression within the 'pattern' that contains the DNS name (or IP address) of the network device that was changed.

<userIdIndex>

The index of the sub-expression within the 'pattern' that contains the user name that caused a change to the network device.

<descriptionIndex>

The index of the sub-expression within the 'pattern' that contains the description of the change that occurred to the network device.