Kaseya Community

Log Parser nightmares

  • Hello,
    I am currently trying to monitor an FTP log generated by a FTP script to see when the script completes with 0 files uploaded. A part of the log file is seen here below:

    ftp> bye
    221-You have transferred 0 bytes in 0 files.
    221-Total traffic for this session was 1590 bytes in 0 transfers.
    221-Thank you for using the FTP service on grumpy.wilshire.com.
    221 Goodbye.
    "------------------ End FTP file(s) -----------------"

    What I am attempting to due is setup a log parser that parses the bytes and files transferred during the FTP process. I have setup the following things in my log parser:

    Template:
    %transferred $b$ bytes in $f$ files.

    Parameters:
    $b$ Integer
    $f$ Integer

    I then have a parser set defined for when $f$ Equal 0

    Currently though when I create a new log entry with 0 files transferred i am not getting an alert as i would expect to see.

    Can someone please help??

    Thanks,
    Daryl

    Legacy Forum Name: Log Parser nightmares,
    Legacy Posted By Username: djennings
  • I to have just started to use log monitoring, and I couldn't get it to create an alert, even on a test parser that only had number per line. I have a support request open at the moment and will let you know the outcome.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: eddy@dgs.com.au
  • TestLogParserV2.zip
    A great tool I found on this forum is attached. Use this to test your parsing script.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: nevesis
  • I guess what I get for not confirming your syntax (it's correct) is that my log parsing broke. A

    I believe it broke with the roll-out of the 5.1 agent, but I noticed it immediately after reading your post. I reloaded everything to no avail.

    I put in a support ticket to Kaseya a week ago, and as usual, haven't made any progress.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: nevesis
  • Hello,

    I found that tool very helpful in that it let me know the log parser I wrote is not working. I'm getting the following:

    Parser returns "Parameter is not defined." [Error code: -3.]

    As far as I can tell, I have everything defined. Here's what mine looks like:

    Log -
    20081021909Possible_Hifrm-51020C:\Documents and Settings\Amy.LIBERTYBANK\Local Settings\Temporary Internet Files\Content.IE5\EP3054B6\acc_random=1097120866[1].HTM
    200810291032HTML_FAKEAV.SP1510C:\Documents and Settings\Amy.LIBERTYBANK\Local Settings\Temporary Internet Files\Content.IE5\FI0NJ5OP\freescan[1].htm
    200810291034Mal_FakeAV61510C:\Documents and Settings\Amy.LIBERTYBANK\Local Settings\Temporary Internet Files\Content.IE5\Y6OQHEG4\freescan[1].htm

    Template -
    $Date$$Event_Code$$Comments$$Int_1$$Int_2$$Int_3$$Directory$

    Parameter Definitions -
    $Date$ String
    $Event_Code$ Integer
    $Comments$ String
    $Int-1$ Integer
    $Int_2$ Integer
    $Int_3$ Integer
    $Directory$ String


    Any suggestions are appreciated.


    Thanks in advance,
    Tom

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: tecook7
  • Hmm... It seems that your parameters and template are correct!

    My problems is a bit different. My log parser worked fine in the Testig Tool, but still no alarm is generated.

    I noticed that the beginnig of my log file does not follow the template. Could this be the problem?

    Below is the beginning of my log file:
    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2008-12-30 06:42:03
    #Fields: date time cs-method cs-uri-stem c-ip sc-status sc-bytes cs-bytes time-taken
    2008-12-30 06:42:03 GET /blank.htm 127.0.0.1 200 419 146 0
    2008-12-30 06:42:03 GET /home.asp 131.94.135.130 200 6198 1304 1234
    2008-12-30 06:42:05 GET /topIndex.asp 131.94.135.130 200 11736 1352 468
    2008-12-30 06:42:05 GET /userFilterTable.asp 131.94.135.130 200 25951 1359 468
    2008-12-30 06:42:06 GET /HomeTab/navHome.asp 131.94.135.130 200 34388 1407 593


    If I take away the first four lines, my Log Parser passes the Testing Tool. Any ideas?

    For your information, here is te Template:
    $DateTime$ $Method$ $URIStem$ $ClientIP$ $ProtocolStatus$ $BytesSent$ $BytesReceived$ $TimeTaken$


    Parameters:
    Name Type Date Format UTC
    DateTime Date Time YYYY-MM-DD hh:mm:ss
    Method String
    URIStem String
    ClientIP String
    ProtocolStatus Unsigned Long Integer
    BytesSent Unsigned Long Integer
    BytesReceived Unsigned Long Integer
    TimeTaken Unsigned Long Integer

    Thanks much!
    Masoud

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: sadjadi
  • Aaahhh! That tool is a godsend!

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: Lmhansen
  • Tom, you can only use the date field when the data is a whole timestamp (it must contain the time as well)

    Change this to a string field and things should be fine for you.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: mparr
  • mparr,

    thank you for your reply. as you can see, i already had date set to a string (i gave up on the 'date time' parameter type). i tried changing the date field to an integer as well and i had no luck. any other thoughts?

    i am going to test the data i am trying to parse. perhaps the 'comments' or 'directory' parameters are too long of a string (if this is the case then the log parser would unfortunately be useless to me). i'll post if i find anyting interesting.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: tecook7
  • Turns out the underscores I put in my parameters were the problem. As soon as I removed them, the parser tested successfully.

    Legacy Forum Name: Monitor Sets,
    Legacy Posted By Username: tecook7