Back to your phpLogCon instanceI am currently receiving the following information in messages from EventReporter:
hostname EvntSLog: message
Is there anyway to remove the prepended "hostname EvntSLog" and only receive the message portion?
Thanks in advance for you help.
David
MonitorWare Knowledge Base
Your first source for knowledge
How to remove prepended information from message?
Moderator: alorbach
8 posts • Page 1 of 1
by alorbach on Wed Jul 27, 2005 9:01 am
Hi,
depending on what actions you are using, you can configure the message format EventReporter uses. For example if you log to a file, kindly switch to Raw Message format. Also make sure that you are NOT using the legacy format in the Eventlog Monitor Service.
best regards,
Andre Lorbach
depending on what actions you are using, you can configure the message format EventReporter uses. For example if you log to a file, kindly switch to Raw Message format. Also make sure that you are NOT using the legacy format in the Eventlog Monitor Service.
best regards,
Andre Lorbach
-
alorbach - Site Admin
- Posts: 900
- Joined: Thu Feb 13, 2003 11:55 am
by rgerhards on Wed Jul 27, 2005 12:51 pm
Hi David,
I've done a quick lab and modifying the syslog header is actually not easy with the current versions (your questions targets the header and not the message part of it).
To help me look into this issue, I would appreciate if you could let me know which system is on the receiving side and how exactly you would like the message to look - if possible including the syslog header. It would be very helpful if you could use an actual message from EventReporter, just obfuscating the information and not removing it.
I am looking forward to your feedback.
Best regards,
Rainer Gerhards
Adiscon
I've done a quick lab and modifying the syslog header is actually not easy with the current versions (your questions targets the header and not the message part of it).
To help me look into this issue, I would appreciate if you could let me know which system is on the receiving side and how exactly you would like the message to look - if possible including the syslog header. It would be very helpful if you could use an actual message from EventReporter, just obfuscating the information and not removing it.
I am looking forward to your feedback.
Best regards,
Rainer Gerhards
Adiscon
-
rgerhards - Site Admin
- Posts: 1690
- Joined: Thu Feb 13, 2003 11:57 am
More information
by dfg on Wed Jul 27, 2005 2:42 pm
- Code: Select all
Sending PC:
EventReporter 7.0.252
Service: NOT using legacy format
Action:
Message Format: %msg%
Ouput Encoding: System Default
Last 3 options (Add syslog source..., Use XML..., Forward as....) are NOT selected.
Receiving PC:
MonitorWare Agent 2.2.241
MySql 4.1.7
In the Message field of the SystemEvents table in the MySql database I see the following message "structure" for messages sent by EventReporter:
hostname EvntSLog: message
For example:
TBS2005 EvntSLog: The Removable Storage service entered the stopped state.
I would like to remove the redundant (hostname) and static (EvntSLog) and just get the actual message:
message
For example:
The Removable Storage service entered the stopped state.
Please note that I am only talking about the message portion and not the entire entity.
Thank you for your help.
David
- dfg
by therget on Wed Jul 27, 2005 5:51 pm
Hello David,
I have figured out a working configuration for you:
I will refer also to our manual of MWAgent ( Reference -> EventProperties -> Accessing Properties -> Examples ) where you have a lot of information regarding the property replacer with which we will solve your problem now:
Go to your database and count the places until your message begins. In my case there were 10 places which should be removed...
In the "Write To Database" action on the receiver side, click on the field "Message" in the tableview.
Then click on "Fieldcontent".
Here type %msg:x% where x are the spaces you want to remove/replace + 1.
Now restart the MWAgent and it will work
Regards,
Timm Herget
Adiscon
I have figured out a working configuration for you:
I will refer also to our manual of MWAgent ( Reference -> EventProperties -> Accessing Properties -> Examples ) where you have a lot of information regarding the property replacer with which we will solve your problem now:
Go to your database and count the places until your message begins. In my case there were 10 places which should be removed...
In the "Write To Database" action on the receiver side, click on the field "Message" in the tableview.
Then click on "Fieldcontent".
Here type %msg:x% where x are the spaces you want to remove/replace + 1.
Now restart the MWAgent and it will work
Regards,
Timm Herget
Adiscon
-
therget - Frequent Poster
- Posts: 79
- Joined: Thu Dec 18, 2003 12:42 pm
Looking for better solution
by dfg on Wed Jul 27, 2005 6:43 pm
Timm,
Thank you for your help. That would certainly work for this particular PC. The problem is that I have numerous Unix machines currently sending syslogs to the receiving PC....
I would have to split the "Write to DB" action up and have a unique one for each PC using EventReporter (since hostnames would be different lengths...) and another one for the Unix machines - not very ideal.
I was hoping to address the problem on the sending PC since that is where the "problem" originates - is the prepended text "hostname EvntSLog:" hardcoded with no way to suppress it?
I will probably use the above method as a last resort...
Thank you,
David
Thank you for your help. That would certainly work for this particular PC. The problem is that I have numerous Unix machines currently sending syslogs to the receiving PC....
I would have to split the "Write to DB" action up and have a unique one for each PC using EventReporter (since hostnames would be different lengths...) and another one for the Unix machines - not very ideal.
I was hoping to address the problem on the sending PC since that is where the "problem" originates - is the prepended text "hostname EvntSLog:" hardcoded with no way to suppress it?
I will probably use the above method as a last resort...
Thank you,
David
- dfg
by rgerhards on Thu Jul 28, 2005 8:02 am
David,
you are of course right, this is a work-around. There seems to be a problem with the parsing on the receiving machine (it's not an orginator issue). We are currently evaluating this. However, I have also asked Timm to find a better way to utilize the property replacer and I am sure it will work.
We keep you posted as soon as we have further information.
Rainer
you are of course right, this is a work-around. There seems to be a problem with the parsing on the receiving machine (it's not an orginator issue). We are currently evaluating this. However, I have also asked Timm to find a better way to utilize the property replacer and I am sure it will work.
We keep you posted as soon as we have further information.
Rainer
-
rgerhards - Site Admin
- Posts: 1690
- Joined: Thu Feb 13, 2003 11:57 am
by therget on Thu Jul 28, 2005 8:56 am
Hello David,
Here is the new formatting of the database field "Fieldcontent":
Now, it takes the whole message after EvntSLog, the colon and the space:
If this tag (EvntSLog: ) is not found in the message, it will write the whole message to the database field. This is important for you, because your Unix machines send syslog messages without the EvntSLog: -tag.
Please let us know if it is working or not working for you
Best Regards,
Timm Herget
Adiscon
Here is the new formatting of the database field "Fieldcontent":
- Code: Select all
%msg:/EvntSLog: /$:%
Now, it takes the whole message after EvntSLog, the colon and the space:
hostname EvntSLog: message
If this tag (EvntSLog: ) is not found in the message, it will write the whole message to the database field. This is important for you, because your Unix machines send syslog messages without the EvntSLog: -tag.
Please let us know if it is working or not working for you
Best Regards,
Timm Herget
Adiscon
-
therget - Frequent Poster
- Posts: 79
- Joined: Thu Dec 18, 2003 12:42 pm
Google Ads
8 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
