Hi, does anyone know how the defaultmapping eventClassKey works? I was under the impression that if no eventClassKey matches when an event comes in, the defaultmapping eventClassKey is used to map the event. All ok so far. Now, I also believe that a blank rule in a mapping matches (is true) for all events. This would mean that the first blank rule in my defaultmapping eventClassKey table should match ALL events that get this far.
This is my defaultmapping table: Seq ID EventClass Evaluation 0 defaultmapping /Archive getattr(evt, 'agent', '') == ... 1 defaultmapping /Security/Login \d+ \S+ \S+ SEV=\d+... 2 defaultmapping /Cisco/FW \d+ \S+ \S+ SEV=\d+ ... 3 defaultmapping_local7 /Ignore getattr(evt, 'facility', ... 4 defaultmapping /Net getattr(evt,'facility',False)=='local7'... 5 defaultmapping /Heartbeat -- MARK -- 6 defaultmapping /Ignore message repeated \d+ times 7 defaultmapping_FileMaker /Archive getattr(evt,"... Now the sequence 0 defaultmapping has a rule in it but sequence 1 does not. I would expect ALL unknown events to now be mapped using this mapping. To my surprise i get events mapped using the sequence 3 mapping for Cisco syslog messages. Anyone got any ideas on why this is? Thanks in advance. -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=32572#32572 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
