Hi, thanks for your reply. It is certainly an excellent paper. I had not seen the part mentioning..
"If a Rule does not exist then the Regex must be satisfied for the mapping (and any transform) to apply." so this solves my question, thanks! jmp242 wrote: > Do you have a regex in seq 1 that would not match your events? > > See > http://www.zenoss.com/Members/jcurry/zenoss_event_management_paper.pdf/view > page 17, section 2.3.3 ... > -- > James Pulver > Information Technology Area Supervisor > LEPP Computer Group > Cornell University > > > > johnnysmithers wrote, On 3/24/2009 1:58 AM: > > > Hi, > > > > does anyone know how the defaultmapping eventClassKey works? I was under > > the impression that if no eventClassKey matches when an event comes in, the > > defaultmapping eventClassKey is used to map the event. All ok so far. Now, > > I also believe that a blank rule in a mapping matches (is true) for all > > events. This would mean that the first blank rule in my defaultmapping > > eventClassKey table should match ALL events that get this far. > > > > This is my defaultmapping table: > > > > Seq ID EventClass Evaluation > > 0 defaultmapping /Archive getattr(evt, 'agent', '') == ... > > 1 defaultmapping /Security/Login \d+ \S+ \S+ SEV=\d+... > > 2 defaultmapping /Cisco/FW \d+ \S+ \S+ SEV=\d+ ... > > 3 defaultmapping_local7 /Ignore getattr(evt, > > 'facility', ... > > 4 defaultmapping /Net > > getattr(evt,'facility',False)=='local7'... > > 5 defaultmapping /Heartbeat -- MARK -- > > 6 defaultmapping /Ignore message repeated \d+ times > > 7 defaultmapping_FileMaker /Archive getattr(evt,"... > > > > Now the sequence 0 defaultmapping has a rule in it but sequence 1 does not. > > I would expect ALL unknown events to now be mapped using this mapping. > > To my surprise i get events mapped using the sequence 3 mapping for Cisco > > syslog messages. > > > > Anyone got any ideas on why this is? > > > > Thanks in advance. > > > > > > > > > > > > > > > > _______________________________________________ > > zenoss-users mailing list > > [email protected] > > http://lists.zenoss.org/mailman/listinfo/zenoss-users > > > _______________________________________________ > zenoss-users mailing list > [email protected] > http://lists.zenoss.org/mailman/listinfo/zenoss-users -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=32611#32611 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
