Download

Werk #7085: Fixed parsing of special syslog messages which don't contain a host name

Component Event Console
Title Fixed parsing of special syslog messages which don't contain a host name
Date Feb 13, 2019
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 1.5.0p13 1.6.0b1
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required

The Event Console is now able to process syslog messages that don't contain the host name field. An example for such a message is this one:

Feb 13 08:41:07 pfsp: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41:02 CET</tt>

In previous versions messages like this resulted in log messages like this in the event console log (var/log/mkeventd.log):

2019-02-13 09:41:07,338 [40] [cmk.mkeventd.EventServer] Got non-syslog message "Feb 13 08:41:07 pfsp: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41:02 CET" (need more than 1 value to unpack)
Traceback (most recent call last):
  File "/omd/sites/ggmcmpp1/lib/python/cmk/ec/main.py", line 2916, in create_event_from_line
    event.update(self.parse_syslog_info(rest))
  File "/omd/sites/ggmcmpp1/lib/python/cmk/ec/main.py", line 2667, in parse_syslog_info
    tag, message = line.split(": ", 1)
ValueError: need more than 1 value to unpack
2019-02-13 09:41:07,338 [20] [cmk.mkeventd.EventServer] Parsed message:
 application:
 core_host:
 facility:       1
 host:
 host_in_downtime: False
 ipaddress:      1.23.45.67
 pid:            0
 priority:       0
 text:           Feb 13 08:41:07 pfsp: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41
:02 CET
 time:           1550047267.34

A fallback event was created that had no syslog fields set and contained the whole unparsed syslog message in the text field. If you have EC rules matching on this fallback event, you will have to change these rules to match the parsed event fields.

Now that the parsing has been added, events created by such a syslog message now have the fields set as follows for our example:

application: pfsp
core_host:
facility: 1
host: 127.0.0.1
host_in_downtime: False
ipaddress: 127.0.0.1'
pid: 0
priority: 5
text: The configuration was changed on leader blatldc1-xxx to version 1.1366 by blatldc1-xxx/admin at 2019-02-13 09:41:02 CET
time: 1550043667.0

Please note that the EC uses the sender IP addresse of the syslog message to populate the host field.

To the list of all Werks

See it yourself

Try out Checkmk now.

Get the Raw Edition Free and open source monitoring
Play with Checkmk Try Checkmk without installing
Checkmk Conference #10

Join us for the highlight of the year when the Checkmk Community gets together in Munich from June 11-13.

Register now