When Spectrum receives a logMonMatchTrap trap for a syslog message and there is a valid hostname in the message, South Bound Gateway is not forwarding the event to the associated model as expected.

The following is an example of a syslog from a logMonMatchTrap trap where the message contains a hotsname (Sim15089) that corresponds with a device model in Spectrum:

"Jul 06:30:02 Sim15089 %NTP-3-STAT, server <serverHostName>, stratum 2, offset"

However, when received by Spectrum, the following events are logged:

"Apr 14, 2016 7:14:42 AM EDT xx.x.xxx.xxx "Device xx.x.xxx.xxx of type Host_systemEDGE - Error processing event 0x116002f -

Details: No device hostname, IP address or mapped target (logfile) could be found. Provided input string was:

""27 Jul 06:30:02 Sim15089 %NTP-3-STAT, server <serverHostName>, stratum 2, offset 0.000002, delay 0.02565""" System 0x3dc0000"

Release: Any version of Spectrum
Component:

Spectrum is expecting the date/time specified in the MessagePrefix to be formatted based on the BSD Syslog and Cisco IOS formats.

Modify the date/time specified in the MessagePrefix to be formatted based on the BSD Syslog and Cisco IOS formats. The following is an example:

"Sat Jul 27 06:30:02 Sim15089 %NTP-3-STAT, server <serverHostName>, stratum 2, offset"

When the date/time is formatted as in the above example, the event is forwarded to the model in the Spectrum database that corresponds to "Sim15089 " as expected.
 

The Spectrum documentation states the following under the Log File Syntax section:

Log File Syntax

You can monitor application logs or log files that receive data from other devices, such as Syslog files. No special syntax is required for log files that monitor application logs. However, for CA Spectrum to assert the trap information about the appropriate device model, log files that receive information from devices on the network must have the following format, which is based on the BSD Syslog and Cisco IOS format:

<MessagePrefix>%<MessageHeader><Additional_Information>