On Oct 16, 2008, at 1:34 PM, jcurry wrote:
1) Does the Example field of an Event Mapping specify a littoral
value to match, rather then using the Rule / Regex fields to match
parameterised input? I think so.
No, the example field is only there to help you craft your regular
expression and maybe get a better understanding of what the mapping is
supposed to be matching.
2) If I use the Rule or Regex boxes of the Event Mapping dialog then
I believe I can specify exact or partial matches for various fields
of the incoming event. But many of the as-shipped Event Mappings
just have the Example box filled in. What field of the incoming
event is being matched with this Example text? Can it be changed?
In the absence of a rule and regex only the eventClassKey is required
to match for the mapping to be applied to the event. This cannot be
changed.
3) What happens to an event where the "magic parser" does not
populate the EventClassKey field?? How does it find an Event
Mapping to find an Event Class??
Events that have no eventClassKey cannot be mapped automatically from
the event console. There is a special eventClassKey called
"defaultmapping" that will be used in the absence of an eventClassKey,
but should be used sparingly due to the performance impact that having
to match many of these for each event that comes into the system would
have.
Another option to using the "defaultmapping" eventClassKey would be
use the event class transform instead to make the changes you required
to the incoming events.
4) What would I use the "Resolution" box in the Event Mapping for?
Is it effectively just another explanation box whose information can
only be seen from the Event Mapping Status / Edit dialogs - or can
it be used to help the user at an Event Console?
Any text you enter in the explanation or resolution fields will be
added to the details tab of any event that matches your mapping. This
can be used to pass additional information to your operators so that
they know what to do with specific kinds of events.
5) What implements the "magic parser"?
Events get their eventClassKey assigned differently depending on where
they're coming form. For example:
Windows Events Logs: The eventClassKey will be set to the NT Event ID.
The same one you see in the Windows event viewer. It works very well
because it is a unique key for each distinct type of event that can
occur in a Windows system.
SNMP Traps: The eventClassKey of an SNMP trap will be set to the OID
of the trap if Zenoss can't resolve the OID to a human readable name
using one of the MIBs you have loaded into the system. If the OID can
be resolved to a name, that name will be used as the eventClassKey
instead.
Syslog: These are the most complicated to get a consistent
eventClassKey from. To accomplish this, Zenoss has a list of regular
expressions that attempt to extract the eventClassKey from a number of
common source such as UNIX systems, NTSyslog and Cisco routers. You
can find this list of parsers near the top of $ZENHOME/Products/
ZenEvents/SyslogProcessing.py
6) What implements the "magic mapper"?
I probably didn't read enough of this email to understand what you
mean by magic mapper. If we're talking about actual implementation of
how the mapping and such works you should take a glance through the
following files in $ZENHOME/Products/ZenEvents/.
MySqlSendEvent.py
EventClass.py
EventClassInst.py
The really high-level overview of how this works is that
MySqlSendEvent looks up all relevant mappings using the lookup method
of EventClass, then find the first one in the sequence that matches
completely (rule or regex in addition to eventClassKey). Once the
matching mapping is found, it is applied using methods found in
EventClassInst.
7) How do I find out (print a list of) the default mapping of events
to classes? Where are they stored?
Click on the mappings tab of /Events and "show all".
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
