Kaseya Community

Help with a log parser

This question has suggested answer(s)

I have a multi-line log file that I am trying to parse but I am having some issues with the parser template.  Here is an example of the log file:

 

2012-01-15 @ 04:22 SQL Error encountered.
Application: BRMService
Error State: S1T00
Vendor: Microsoft
Driver: ODBC SQL Server Driver
Error: Timeout expired
Last SQL String: SELECT COUNT(*) FROM master.dbo.sysdatabases WHERE name = 'BusRuleMonitor'
Last ODBC Command: Function: SQLDriverConnect

2012-01-27 @ 23:10 SQL Error encountered.
Application: BRMService
Error State: 08001
Vendor: Microsoft
Driver: SQL Server Native Client 10.0
Error: Named Pipes Provider: Could not open a connection to SQL Server [2].
Last ODBC Command: Function: SQLDriverConnect

The only thing I am interested in monitoring is the Error State.  I will monitor that error state and if it matches a certain value the alarm will be raised.  I am struggling with creating a template for this parser. I was thinking that just Error State: $errorstate$ would do the trick, but i can't seem to get it to work.  Any help would be appreciated.

 

Thanks

All Replies
  • Hi jsnair

    I think you'll need to set up your Log Parser to read the format of the log file at least up to the portion that you're interested in. It's extra work but the Log Parser is dumb and it's unable to guess which portion of the log file you're interested in unless you do it that way. For example, in the log file you posted you'd want something like:

    #DateVariable#

    Application: #ServiceVariable#

    Error State: #StateVariable#

    That's the minimum you'd need to get you the info you're looking for - in this case the state variable.

  • Needless to say, the Help file is pretty basic and useless.  It took some digging but I did find this document which is far more helpful when working with Log Parsers.

    help.kaseya.com/.../EN_LogParsers62.pdf

  • parser.JPG

    Try this :

  • I think I figured it out.. thanks!!



    deleted image
    [edited by: robbdelaney at 12:45 PM (GMT -7) on Apr 17, 2015]
  • Simple stuff works.. 

  • IMPORTANT THING TO NOTE:

    Part of the problem I was having with my XML file was, the log called <parameter> more than one time.. so the parse would never happen because there were too many instances of the same name.

  • I will post this as the answer... obviously more was added to the intial request.. but here it is:

    #get last time the powershell script was run

    $LastRunStamp = (Get-Item c:\test\lastRunStamp.txt).LastWriteTime.DateTime

    #write current timestamp to file

    Get-Date > c:\test\lastRunStamp.txt

    foreach ($file in (Get-ChildItem c:\test\*.xml))

    {

       #calculate the time difference between file modified time and last time script was run    

       $span = new-timespan -start $file.LastWriteTime.DateTime  -end $LastRunStamp

        #if the file was modified since the last time the  script run value will be less than 0    

       if($span.TotalSeconds -le 0)

       {

                   #instantiate XML document object

                   $xdoc = new-object System.Xml.XmlDocument

                   #load up the XML contents into the object

                   $xdoc.load($file)

                   #check the value of the priority XML tag if  it contains Major then write to event log

                   if ($xdoc.SelectSingleNode("//priorityname").innertext -eq 'Major')

                   {

                       #get the content of XML

                       $content = [string]([IO.File]::ReadAllText($file.FullName))

                       #mask the FQDN's

                       $content = $content.replace(".ngd.com",".censored").replace(".ad.local",".censored FQDN")

                       #regex pattern to detect IP Addresses

                       $pattern = "\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b"

                       #use regex to mask IP addresses

                       $contentScrubbed = [regex]::replace($content, $pattern, "sensored IP Address")  

                       Write-EventLog –LogName Application –Source “Verint Alert” `

                       –EntryType Information –EventID 1 `

                       -Message ("Triggered Alarm") + $contentScrubbed

                   }                                  

       }

    }