Log Definitions.

[Pawel P]

Hello, Let me be the first to create a post :)

At first I wanted to congratulate the creator, Logalyze is brilliant for my needs :) You really did a great job!

However, I have a problem with the creation Log Definitions. This is the only subject that is not described in the manual. I would like to create definitions for Mikrotik (RouterOS) and give them the severity, etc.

Below are examples of Mikrotik log entries:

8:43:03 p.m. system, error, critical login failure for user root from 123.30.143.xxx via ssh

12:29:39 dhcp, critical, error dhcp alert on bridge2: discovered unknown dhcp server, mac 00:02:72:77:A6:59, ip 192.168.0.2

8:10:55 pptp, info TCP connection established from 89.xxx.xxx.xxx

5:35:25 wireless, info 10:68:3F:47:83:15 @ wlan1: disconnected, received disassoc: sending station leaving (8)

6:04:59 dhcp, info DHCP1 assigned 192.168.200.47 to 74: A7: 22:64:04:7 A

8:53:37 p.m. system, info, account user admin logged in from 192,168,200,100 via telnet

Can anyone prompt me how to create definitions for these entries?

Thanks in advance. Yours.

Paul.

ps. sorry for the translator.

[Balazs Vamos]

Paul,

Thank you for your mail.

To create Log Definitions seems to be hard at the beginning. However you will see after the first few defs that it is very easy.

Rules:

• You have to create separate Log Definition for every different log entry
• If the same log entry is coming from different type of source you can use the same Log Definition. For example you need only one Log Definition for the Mikrotik Successful Login even if the log is from the device over syslog or from file, snmp, etc.
• Use the XSD from conf directory, helps a lot

Steps:

1. Identify your log entry. In this example: Mikrotik RouterOS Successful Login:
   

1. 8:53:37 p.m. system, info, account user admin logged in from 192,168,200,100 via telnet

2. Identify the fields to parse
1. Date/Time: 8:53:37
2. Source: system
3. Log level: info
4. Username: admin
5. Source address: 192,168,200,100
6. Method: telnet
3. Copy an existing Log Definition XML or create a new file. Choose your favorite XML editor and load the XSD.
4. Generate an UUID for the Definition (http://www.famkruithof.net/uuid/uuidgen)
5. Add the fields section. Use common field names from built in Log Definitions like hostname, user, eventid, etc.
6. Create a dfconnector. Data Format Connector connects the logic to a Collector DF. For example if you have a syslog DF Collector, then only the dfconnector with attribute df="syslog" will run. So if you are collecting the logs via syslog, create a dfconnector df="syslog"
7. Set up the matching criteria as a regular expression.
8. Add a parser function="regexp" and create a regexp to parse your log. Use brackets in regexp.
1. Inputfields is the input for the parser. In case of syslog this is message, because the syslog collector creates a field called message from the syslog message.
2. Outputfields are your fields. You can use all of them or some of them. Order is important. The number of outfields must be the same as the number of brackets (groups) in your regexp.
9. Add tags to your logdef. These tags will be added to the _tag field of the log entry.
10. Save your logdef, put it into conf/repository or lodefinitions.xml
11. Restart LOGalyze engine
12. Send your log and use search to see if logs are parsed correctly.
13. Send your questions to me :-)

Regards,

Balazs

[Pawel P]

Thanks for Reply :) I work on that but that can take some days, depending of free time. For sure are reply results and more questions about statistic charts ;) 

Regards,

Paul. 

On Saturday, September 21, 2013 8:59:04 PM UTC+2, Pawel P wrote:

[James Bauernfeind III]

Balaz,

Looking for much the same, just cannot get it to work, and maybe it is because I am defining the email portion wrong. I changed the event instead of logging to a file (which seems to work fine) I changed to try to send email. This is my config:

<?xml version="1.0" encoding="UTF-8"?>

<tns:definitions xmlns:tns="http://logalyze.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://logalyze.com http://repository.logalyze.com/logalyze-definitions-1.0.xsd ">

       <tns:eventdef version="1" id="5f605790-48d9-11e4-916c-0800200c9a66">

               <tns:name>Test Event Alert</tns:name>

               <tns:description>Testing Event Monitoring with Email Alert</tns:description>

               <tns:vendor>LOGalyze</tns:vendor>

               <tns:group></tns:group>

               <tns:rule>SingleWithThreshold</tns:rule>

               <tns:criteria>

                                 <tns:and>

                       <tns:criterion>

                           <tns:field>_tag</tns:field>

                           <tns:operator>=</tns:operator>

                           <tns:value>Network Syslog</tns:value>

                       </tns:criterion>

                                             <tns:criterion>

                                                <tns:field>_Severity</tns:field>

                                                       <tns:operator>=</tns:operator>

                                                 <tns:value>info</tns:value>

                                            </tns:criterion>

                                       </tns:and>

               </tns:criteria>

               <tns:desc>Test Sending Alerts based on TAG information</tns:desc>

               <tns:window>60</tns:window>

               <tns:thresh>3</tns:thresh>

               <tns:actions>

                       <tns:action type="mail">

                               <tns:prop>

                                       <tns:key>to</tns:key>

                                       <tns:value>em...@domain.com</tns:value>

                               </tns:prop>

                               <tns:prop>

                                       <tns:key>subject</tns:key>

                                       <tns:value>Testing Alerting<tns:value/>

                               </tns:prop>

                                            </tns:action>

               </tns:actions>

       </tns:eventdef>

</tns:definitions>

What am I doing wrong here?

--Thanks! 

[Balazs Vamos]

James,

Are you aware that this will trigger the action only if the log entry is caught 3 times in 60 secs?

You can test with a 'single' type event. rule: single, without 'window' and 'thres' tags.

Balazs

[James Bauernfeind III]

Balazs,

Yes, I am aware of that... was even forcing the event to happen, forcing something like 20 events a minute. The premise was that I want the trigger to happen as it would outside of a "testing" scenario. I could definitely make it a single event trigger for testing, that is a good suggestion. What about the email part though. When replaced with logging to a file, it seems to work just fine. When set to go to email as I have above, no email is sent.

Let me know what I need to change.

--James

[James Bauernfeind III]

Balazs,

Still no update for sending emails? Can you provide a working sample that will send the email as designed so I can create working events that will trigger the same?

--James