Help banner

Modify Object - Log Parser Instrumentation

The Instrumentation settings in the Log Parser Application object are used to parse information out of an existing text log file, format it, and send it to a Secure Logging Server (SLS). Text log files are parsed one line at a time. Each line must end in either a carriage return or line feed.

IMPORTANT: You must restart the logging server to effect any changes in Application object configuration. For more information on restarting the logging server, refer to the Novell® Audit Administration Guide.

The following sections provide a description of each page in the Log Parser Instrumentation page.

 

Hosts

A host is a server that contains a log file that you want included in the log parsing. A host can have multiple log files on it. The log parser examines the multiple log files from specified applications and creates a single log file in its database.

Item

Description

Address

The IP address or DNS name of the server where the log file resides.

 

Total Log Files

The total number of log files on that host that the log parser reads.

 

Description

A description of the host server entered during the creation of the host.

 

New

Click to create a new host.

For information on host configuration settings, see New Host.

 

Edit

To edit a host's configuration, select the box next to the host, then click Edit.

For information on host configuration settings, see Edit Host.

 

Delete

To delete a host, select the box next to the host, then click Delete.

 

 

New/Edit Host

Item

Description

Address

The IP address or DNS name of the server where the log file resides.

 

Description

A description of the host server, such as the server name.

 

 

Logfiles

A log file is a file on a server that logs specified events. Each logfile tag has its own thread for scheduling and parsing the log.

Item

Description

Identifier

The user-defined name for the log file.

This is not the filename of the log file.

 

Location

The directory location and filename of the log file on the target system. For example, the location of the syslog file on Red Hat* and SUSE® is generally /var/log/messages.

 

Description

A description of the log file entered during the creation of the log file.

 

New

Click to create a new log file.

For information on the log file configuration settings, see New Logfile.

 

Edit

To edit a log file's configuration, select the box next to the log file, then click Edit.

For information on the log file configuration settings, see Edit Logfile.

 

Delete

To delete a log file, select the box next to the log file, then click Delete.

 

Import

Click to import an existing log file and its associated line readers. For example, if you have created a syslog log file, such as syslog format1, that you want to use on another machine or share with an associate, you must first export the log file.

You can then import the syslog format1 log file (or any other log file) as a new log file, or you can replace an existing log file with the same name.

If you want to add a new log file or replace an existing log file, click Import and select the XML configuration file that contains the log file configuration. When the XML file is imported, the name of the imported log file is compared against the names of all currently defined log files. If a match is found, the log file being imported automatically replaces the existing log file with the same filename.

 

Export

Click to export the selected log file to the default location specified by the browser you are using to access iManager. The export process creates an XML file from the log file and line reader configuration.

NOTE: When you enter a filename for the exported file, do not enter a file extension. The .xml extension is automatically added to the file.

 

 

New/Edit Logfile

Item

Description

Logfile Configuration

 

 

Identifier

A user-defined name for the log file.

This field is not for the filename of the log file, so you can enter any name that you want.

 

 

Location

The directory location of the log file on the target system. For example, the path to the syslog file on Red Hat and SUSE is generally /var/log/messages.

You cannot enter wildcard characters, such as * or !.

 

 

Description

A description of the log file, such as Application 1 Log File.

 

Logfile Harvest Options

 

 

Read log daily at

Specifies the hour of each day at which the log parser reads the log file.

00 is midnight.

 

 

Read log interval every

Specifies the interval in hours, minutes, or seconds of each day in which the log parser reads the log file.

Select the number of hours, minutes, or seconds from the drop-down lists.

 

Line Readers

A line reader is tag that you configure to identify a line of a log file and what to do with the line, such as discard or log it.

Item

Description

Event ID

A unique value that identifies a specific type of logged event. Specify any number or hexadecimal value between 0 and 999.

 

Parse Type

Specifies how this line is to be parsed:

  • Discard: Designates that all matching lines are to be discarded without sending an event to the host.

  • Tokenizer: Parses the line with a modified string tokenizer.

  • Fixed Position: Designates a fixed position parser, with each section defined by a fixed start and end position in the line.

Component

Generally the filename. The information in this field is displayed in the Component field in the database.

 

Description

A description of the line reader entered during the creation of the line reader.

 

New

Click to create a new line reader.

For information on line reader configuration settings, see Line Reader Wizard.

 

Edit

To edit a line reader's configuration, select the box next to the line reader, then click Edit.

For information on line reader configuration settings, see Line Reader Wizard.

 

Delete

To delete a line reader, select the box next to the line reader, then click Delete.

 

 

Line Reader Wizard

The Line Reader Wizard has four pages: Line Reader Configuration, Hardcoded Fields, Section, and Summary.

Item

Description

Line Reader Configuration

 

 

Parse Type

Select one of the following:

  • Discard: Designates that all matching lines are to be discarded without sending an event to the host.

  • Tokenizer: Parses the line with a modified string tokenizer. Select this type if the start and end of each log line varies.

  • Fixed Position: Designates a fixed position parser, with each section defined by a fixed start and end position in the line. Select this type if the start and end of each log line are constant.

 

 

Description

Textual information about the line reader, such as Warning Line Reader.

 

 

Event ID (Conditional)

A hexadecimal event number that uniquely identifies each type of logged event. For more information, see Event Structure.

Use this field only for Tokenizer and Fixed Position parse types.

 

 

Component (Conditional)

A string formatted like a DOS pathname, with a backslash ( \ ) separating component parts, such as \eDirectory\Database\Lookup.

Use this field only for Tokenizer and Fixed Position parse types.

 

 

Regular Expression

Specifies the regular expression used to match a certain type of line.

When a line is read, the line is applied against this field in each line reader until a match is found. The first matching line reader section is used to parse the line. If no matching regular expression is found, the line is ignored.

 

Hardcoded Fields

In this step, you can predefine event fields that appear in the database. However, the data in these fields can be overridden by information specified in the Section page.

All hardcoded fields are optional. For more information on each of these fields, see Event Structure.

 

 

Severity

The severity of the reported event.

  • Emergency events cause the system to shut down.

  • Alert events require immediate attention.

  • Critical events might cause parts of the system to malfunction.

  • Error events are errors that can be handled by the system.

  • Warnings are negative events that do not represent a problem.

  • Notices are positive or negative events that an administrator can use to understand or improve the use and operation of the current system.

  • Info represents positive events of any importance.

  • Debug events are used by support technicians or engineers to debug the current system.

 

 

Grouping

An ID that can be used to identify related events.

 

 

Originator

Who or what caused the event to happen.

 

 

Originator Type

 

The predefined format the target and originator are represented in. Defined values for this type are currently:

  • 0: None

  • 1: Slash Notation

  • 2: Dot Notation

  • 3: LDAP Notation

 

 

Target

 

The event target.

All eDirectory™ events store the event's object in the Target field.

 

 

Target Type

The predefined format the target and originator are represented in. Defined values for this type are currently:

  • 0: None

  • 1: Slash Notation

  • 2: Dot Notation

  • 3: LDAP Notation

 

 

Subtarget

The event subtarget.

All eDirectory events store the event's attribute in the Subtarget field.

 

 

Text1

The value of this field depends upon the event. It can contain any text string up to 255 characters.

The Text1 field is vital to the function of the CVR driver. For more information, see CVR Channel.

 

 

Text2

The value of this field depends upon the event. It can contain any text string up to 255 characters.

The Text2 field is vital to the function of the CVR driver. For more information, see CVR Channel.

 

 

Text3

The value of this field depends upon the event. It can contain any text string up to 255 characters.

 

 

Value1

The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

 

 

Value2

The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

 

 

Value3

The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

 

 

Mime Hint

Identifies the type of data contained in the Data field.

 

 

Data

The value of this field depends upon the event. The default size of this field is 3072 characters.

 

Section

In the Section page, you define a specific section in the line.

To add more than one section, click the plus sign at the end of a section.

To delete a section, click the minus sign at the end of the section.

 

 

Separator

The character that separates the data in the line, such as a space.

To enter a space, press the space bar.

 

 

Separator Skip

The number of characters that separate the data in a line, such as two spaces. Select a number from 0-10.

 

 

Event Field

Specifies the Novell Audit event field in which you want to store this section of the line.

You select any of the fields listed in the Hardcoded Fields page, or you can select Discard to not use this section.

 

 

Integer Syntax (Conditional)

If you want to store this section data in one of the integer fields of Novell Audit, such as Severity or Grouping, you can enter information in this field to help the parser in the string to integer conversion.

  • Number 32bit (signed)

  • Number 32bit (unsigned)

  • Hexadecimal Number

  • RFC822 format date/time

  • IPv4 Internet Address (network order)

  • IPv4 Internet Address (host order)

  • Boolean (Yes/No)

  • Boolean (True/False)

 

Summary

The Summary page reviews the information that you entered during the Line Configuration Wizard.

To modify any of the information, click Back to return to the applicable page and make the necessary modifications.

When you have entered the correct information, click Finish.

Related Topics

Consolidating Log Files

Novell Audit Help

A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For information on trademarks, see Legal Notices.

Close