Error parsing syslog messages in Spectrum if there is another "%" included in the syslog message
search cancel

Error parsing syslog messages in Spectrum if there is another "%" included in the syslog message

book

Article ID: 279287

calendar_today

Updated On: 02-15-2024

Products

Spectrum Network Observability

Issue/Introduction

Error parsing syslog messages in Spectrum if there is another "%" included in the syslog message.

The following syslog for example:

"%ALERT_FROM-1-AGILITY: ALERT_FROM_NAGIOS [CRITICAL] {'status': 'firing', 'startsAt': '2023-12-20T21:25:46.169Z', 'endsAt': '', 'iMIBLabels': {'alertId': '200011', 'alertType': '1', 'alertTime': 'Wed Dec 20 21:25:46 UTC 2023', 'alertName': 'nagiosAlertDiskUsage', 'alertSeverity': '0', 'alertEnterpriseCode': '', 'alertSiteCode': '', 'alertClusterID': '', 'alertClusterName': '', 'alertClusterVIPAddress': '', 'alertComponentName': 'XXXX', 'alertK8sIpAddress': 'XX.XX.XX.XX', 'alertMessage': 'Sum of all /: 95%used(1087483MB/1143037MB) (90%) : CRITICAL', 'alertSiteTimeZone': ''}}"

Note the "95%used" in the above syslog message.

When this syslog is processed by Spectrum, the 0x3dc0004 event is generated:

The following text was matched by the IAgent on host HOST in file SYSLOG:

"%ALERT_FROM-1-AGILITY: ALERT_FROM_NAGIOS [CRITICAL] {'status': 'firing', 'startsAt': '2023-12-20T21:25:46.169Z', 'endsAt': '', 'iMIBLabels': {'alertId': '200011', 'alertType': '1', 'alertTime': 'Wed Dec 20 21:25:46 UTC 2023', 'alertName': 'nagiosAlertDiskUsage', 'alertSeverity': '0', 'alertEnterpriseCode': '', 'alertSiteCode': '', 'alertClusterID': '', 'alertClusterName': '', 'alertClusterVIPAddress': '', 'alertComponentName': 'XXXX', 'alertK8sIpAddress': 'XX.XX.XX.XX', 'alertMessage': 'Sum of all /: 95%used(1087483MB/1143037MB) (90%) : CRITICAL', 'alertSiteTimeZone': ''}}"

No Varbind Map named "used" could be found or the map is invalid.  Check the SPECTRUM Control Panel for errors.  No additional varbinds are available.  Rtr_Cisco (name - NAMED). -

Environment

Version: Any
Component: Event and Alarms

Cause

The RegExp used by Spectrum to parse the syslog message checks for the "%" character immediately followed by other characters.

In the above example, Spectrum sees "%ALERT_FROM-1-AGILITY: ALERT_FROM_NAGIOS" as a syslog.

It also sees "%used" as a syslog instead of text within a syslog.

Resolution

The syslog is coming directly from the device.

This is a very rare instance as it has only been seen this one time for this one particular syslog.

There are no plans to change the RegExp used to parse the syslog message to account for this.

Powered by Wolken Software