Hi everyone, I am currently trying to figure out how to handle events. I did some testing with syslog and now I have a rough idea how zensyslog parses the syslog entries and maps them to events in zenoss. I still have some questions about this and really appreciate any help.
So far I understand: The eventclasskey usually corresponds to the program name(tag) of syslogentries. An entry like su: FAILED SU (to root) user on /dev/pts/1 would be parsed by zensyslog and the tag su would be extracted as eventclasskey. If an eventclass with this mapping exists the event will be classified accordingly. By modifying the rule,regex and zProperties I could customize this process. Now some questions about this which I can't figure out. 1. Can it be configured how zensyslog finds the eventclasskey or is it always the tag? 2. How is the eventclasskey extracted for nonsyslog events and how are they created? For example I have an event which was created by zenperfsnmp with the message "Free Space 90 Percent threshold". I understand that I could modify the severity by using the zProperties, but what about triggering this event through zenperfsnmp when reaching 80%? Is that possible? Can I pass on own events to zenoss? 3. In the admin guide, section Applying Event and Device Context Using Event zProperties it is said that after the event context has been applied the same happens for the device context. This application allows the DeviceClass to override the events default values. I think that means practically that an event can be overridden by the device. For example when the sudo event occurs on serverA then make it a different severity than on serverB. In the section in the guide this is done by looking up and processing the zProperty list zEventProperties. Unfortunately I cannot find these properties, but only the zProperties of an Event(zEventAction, zEventClearClasses, zEventSeverity), but these properties don't feel right as I cannot see a mapping to an device. So how can I tell a device to modify the event? Can someone enlighten this section a bit? Maybe I misunderstood the section completely, but all the event context and device context application is confusing. 4. Most of the events shipped with zenoss have no mapping. The events details show no eventclasskey. Is that because they are built in? 5. I understand how zensyslog creates the events, but how does that work for the other collectors? Could I configure zenperfsnmp to create custom events? (a bit like question 2) Thank you all for your help. I know these are a lot of questions and I really searched the board to find out. Any help is welcome, maybe I just need a little hint to find out most for myself. Nic ------------------------ Nic con -------------------- m2f -------------------- Read this topic online here: http://community.zenoss.com/forums/viewtopic.php?p=10657#10657 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
